Yup, I found about this when I accidentally clicked on such a link to PlayStore that was missing the colon and was confused when it didn't work and copy-pasted it in the address bar. I am sure it was just a typo on that website.
GitHub is full of similar typos in documentation and code files (74.8k results). I am not sure if there's a way to do a web search based on code and find "live" examples but I can't imaging there'd be a shortage of those either.
Except this thing is opt-out and would put a whole lot of data on tens of millions of computers including things that were never stored by default (credit card numbers, reset codes, e2e encrypted messages etc).
That is irrelevant to the topic of its security being exploited as claimed.
- - -
Most browsers beg to store credit cards by default, e2e encrypted messages are already accessible by the user (because they are one of the "ends"), reset codes are probably in most people's download folders, in the stuff-sent-to-the-printer cache, or forgotten completely (which IMO is worse)
The fact there's now a central repo for it all.
Scraping far more than just "credit card" and "passwords/logins" (personal details ever shown on your screen? Porn? Blackmail much? and don't give me the "if you've nothing to hide" spiel) People you connect to? Hey, now we can make a social graph. Contacts is one thing, but contents of chats? Let's add on more graph data. I mean, sure FB already does that, but there's legal avenues to pursue remedies(in theory). Here? What can you do but get pwned harder.
Stop excusing MS for this poorly thought out feature. They're returning the old ways and should not be given sympathy til they prove they are committed to privacy and security (which this seems to go against after Nadella's "WE MUST MAKE SECURITY FIRST" dictate)
The central repo is called the web browser. Porn is in your web browser's history. People you connect to is in your web browser's history. Content of your chats can be accessed using the cookies in your web browser's cookiejar.
If you are security-aware enough to avoid those issues, then you aren't using a closed-source operating system in the first place.
And now your keylogger doesn't even need to clear the minimal hurdle of using the screen recording APIs to get screen data, it can simply read a folder to defeat "secure" onscreen keyboards and it'll work across the vast majority of (future) computers.
Now thousands of tech-impaired organizations have to proactively go out and find alternatives that don't alienate their users. How many of do you think will get it right as opposed to ever more inconvenient security theater to satisfy compliance checklists?
RoboForm auto-upgraded my "perpetual" license that I bought over 10 years ago and now it's in "read-only" mode (doesn't allow auto-fill or adding new passwords) unless I pay them a MONTHLY subscription AND it synced all my passwords to their server without my consent.
