New
#1
IE10 bug? Hotmail / Live / Outlook web interface security compromised?
Noticed this when I had accidentally selected Keep me signed in on a PC not belonging to me when checking my Outlook.com emails using Windows 7, IE10 and Outlook.com web interface. Need help to find out how to avoid this kind of situation.
Scenario: Opening Outlook.com with IE10. Logging in with my my_address@outlook.com, accidentally selecting Keep me signed in. All is well, check mails, reply to a few, sign out, closed IE10, shut down the computer.
Was leaving when someone I was waiting to go with asked me to wait 10 more minutes. With extra time in my hands decided to check my other Hotmail account, too. Booted the same PC, opened IE10, went again to Outlook.com and to my surprise it opened to my outlook.com account I had checked earlier, directly without asking for credentials.
I was absolutely sure I had not only closed the IE10 and shut down the PC, but first selected Sign Out from Outlook.com menus. In my opinion this, selecting to log out / sign out should invalidate earlier Keep me signed in selection?
Came home, decided to test this. Here's how it went:
Opening Outlook.com on IE10, entering my my@outlook.com credentials and selecting Keep me signed in (this time deliberately):
Web interface opens, everything OK:
Selecting Sign Out:
Sign out successful:
Logging in with another Hotmail account, this time with my@live.com, not selecting Keep me signed in:
Signing out from this second account:
Sign out successful:
Closed IE10. Reopened IE10, the first mail account (my@outlook.com) appears on Outlook.com as soon as the page is opened, credentials never asked:
My email account can be viewed without credentials simply by closing and reopening IE10, regardless which Hotmail / Live / Outlook.com was opened and signed in and when the account was signed out when the browser was closed.
It seems to me that Outlook.com is not allowing to completely sign out from Outlook.com if Keep me signed in has been selected. In my tests now the account used to sign in with this option will always open automatically without credentials when IE10 is restarted.
Any opinions, tips, advice? I do not like this kind of security leaks, I'm even willing to take the Darwin Award if needed: if this is my own doing, please tell it for me!
Kari
Last edited by Kari; 09 Jan 2013 at 14:41.