Severity of Windows 8 Privacy Flaw Questioned


InfoWorld's Woody Leonhard recently reported on a white paper [PDF file] by Amanda C.F. Thomson, a grad student at George Washington University. "You might not know -- at least, I was very surprised to find -- that Windows 8 doesn't build its Contacts list dynamically," Leonhard wrote. "Instead, it keeps a cache of contacts from all of those sources stored on the machine. The cache persists even when the user logs off or the machine is turned off. That means anyone who can sign on to your PC with an administrator account can see all of your contacts and all of their data -- names, email addresses, pictures, telephone numbers, addresses -- whatever you have on file or whatever's been sucked in from Hotmail, Gmail, Facebook, Twitter, and LinkedIn."

But as Computerworld's Preston Gralla notes, in order to get access to that cache, you have to be able to log into the computer with administrator access. "The real problem isn't as much Windows 8 as it is the overuse of an administrator account," Gralla writes. "People should use such an account only rarely, and not for normal operations of their PC, because of the access it gives to all parts of the operating system. And they should never share that account with others."

And CSO Online's Taylor Armerding quotes Michael Cherry, lead analyst, operating systems at the analysis firm Directions on Microsoft, as saying this is far from a security meltdown. "First and most important, he says, is that this is a beta version of Windows 8 -- a release preview," Armerding writes. "While it is in wide use, 'the point is that this is the kind of thing they are looking for.'"

"'My sense is that Microsoft will take some steps to remedy any issues, but in the area of privacy, the remedy may simply be to tell people that their information is shared among the services,' he told CSO Online," Armerding writes.