IE10 bug? Hotmail / Live / Outlook web interface security compromised?

Kari · 09 Jan 2013

Noticed this when I had accidentally selected Keep me signed in on a PC not belonging to me when checking my Outlook.com emails using Windows 7, IE10 and Outlook.com web interface. Need help to find out how to avoid this kind of situation.

Scenario: Opening Outlook.com with IE10. Logging in with my my_address@outlook.com, accidentally selecting Keep me signed in. All is well, check mails, reply to a few, sign out, closed IE10, shut down the computer.

Was leaving when someone I was waiting to go with asked me to wait 10 more minutes. With extra time in my hands decided to check my other Hotmail account, too. Booted the same PC, opened IE10, went again to Outlook.com and to my surprise it opened to my outlook.com account I had checked earlier, directly without asking for credentials.

I was absolutely sure I had not only closed the IE10 and shut down the PC, but first selected Sign Out from Outlook.com menus. In my opinion this, selecting to log out / sign out should invalidate earlier Keep me signed in selection?

Came home, decided to test this. Here's how it went:
Opening Outlook.com on IE10, entering my my@outlook.com credentials and selecting Keep me signed in (this time deliberately):

IE10 bug? Hotmail / Live / Outlook web interface security compromised?-outlook.com_1.png

Web interface opens, everything OK:

IE10 bug? Hotmail / Live / Outlook web interface security compromised?-outlook.com_2.png

Selecting Sign Out:

IE10 bug? Hotmail / Live / Outlook web interface security compromised?-outlook.com_3.png

Sign out successful:

IE10 bug? Hotmail / Live / Outlook web interface security compromised?-outlook.com_4.png

Logging in with another Hotmail account, this time with my@live.com, not selecting Keep me signed in:

IE10 bug? Hotmail / Live / Outlook web interface security compromised?-outlook.com_5.png

Signing out from this second account:

IE10 bug? Hotmail / Live / Outlook web interface security compromised?-outlook.com_6.png

Sign out successful:

Closed IE10. Reopened IE10, the first mail account (my@outlook.com) appears on Outlook.com as soon as the page is opened, credentials never asked:

My email account can be viewed without credentials simply by closing and reopening IE10, regardless which Hotmail / Live / Outlook.com was opened and signed in and when the account was signed out when the browser was closed.

It seems to me that Outlook.com is not allowing to completely sign out from Outlook.com if Keep me signed in has been selected. In my tests now the account used to sign in with this option will always open automatically without credentials when IE10 is restarted.

Any opinions, tips, advice? I do not like this kind of security leaks, I'm even willing to take the Darwin Award if needed: if this is my own doing, please tell it for me!

Kari

DavidE · 09 Jan 2013

I don't know if this might help as it's about Win8/IE10, but you can take a look.
Maybe IE10 is saving the registry cookies noted in the the last post (Dec. 20, 2012)?
If you have a PC with IE9, could you test that and see if you have the same issue?

Disable Automatic Microsoft Website signon in IE10

Kari · 09 Jan 2013

Thanks for the tip, will check it.

Layback Bear · 09 Jan 2013

The cookie you set when using Keep Me Signed in is still there when you log off and turn the computer off. When you reboot the saved cookie is activated again.
It is probably a (atdmt.com) cookie. Run Super Anti Spyware and you will find it. It will stay gone if removed by SAS until you select Keep Me Signed In again. If you sign in every time you use your email the cookie does not come back.
This might help.
Microsofts atdmt.com cookies