Log out doesn't log out : spy account, read mails, see OneDrive's file in another account than yours

Highlighted
Visitor

Clone post from : https://powerusers.microsoft.com/t5/I-Found-A-Bug/Log-out-doesn-t-log-out-spy-account-read-mails-see...

 

To reproduce this bug, you will need 2 accounts in the same Office 365 tenant, and Firefox or Chrome (I didn't test it on Edge).

0) Go to office.com in your browser

1) Log in with account 1.

2) Open Outlook in one tab, OneDrive in a second tab.

3) In your onedrive tab, log out. You will meet the message : "it's a good idea to close all browser windows". Don't close it for now.

4) Still in the onedrive tab, press the back button of your browser or enter the address : "office.com"

5) Log in with account 2

6) From now on, if you try to open Outlook, you will open Outlook of account 1, and if you want to open OneDrive, you will open OneDrive of your account 2.

7) Return to your first tab, where you still have Outlook account 1. Refresh the page, open mails, search for mails, send an email : you are really still connected under account 1. You can spy on the mail of account 1 freely.

8) Try to open OneDrive or Outlook from any tab : you will always have this combination : Outlook with account 1, OneDrive with account 2.

9) Close the Outlook tab. Open a new tab and go directly to outlook.office365.com, or open Outloog in a new tab from the menu of your OneDrive tab account 2 : you will access to Outlook of account 1.

 

The problem remains almost identical when you close all browser windows : in a clear-from-all-data-browser, do :

1) Log in on office.com

2) Log off.

3) Close tab and close window, as said by Office after the supposed log out

4) Re-open your browser.

5) Go to office.com : you are logged in without being prompted for any password ! (you have never been effectively logged out)

 

Works, of course, with an administrator account too.

Infact, as an administrator, I can't really log out : I can try whatever I want to log out, click the log out button, close the tab, close the window... when I reopen my browser, and go to office.com, I reconnect automatically to the admin portal with being prompted for my password.

 

 

Problem solved only when you use Office.com in a private window of your browser. The problem doesn't seem to be reproducible if you log in with an account of two different Office 365 tenant (account 1 in tenant A, account 2 in tenant B) : when you try to log in with account 2 of tenant 2 in the OneDrive tab, you are blocked and asked to disconnect from all accounts.

 

Please fix this identification/log-out problem : it's a very critical problem to be able to view the emails of another account in the same browser (think : malevolent employee, spying boss, or public internet computer).

1 Reply
Highlighted

That's sort of known/expected behavior, simply clicking the Log out button never does a "full" logout as there's a lot of caching happening on both the client and the server side. Closing the browser window should generally work, but only if you close any other currently opened tabs/windows, *and* also make sure to close any background processes via task manager. And you also have to take into effect the KMSI setting and the authentication method used by your organization (anything configured for Windows Integrated Authentication will just log you in directly with current users' credentials).

 

Anyway, these forums are not a support channel, if you want to submit this as a bug open a support case.