Wait what? I'd argue that activation links is the least problem here.

and a friend just told me that #Microsoft was now «less bad» that it had been, much better than #google or #facebook,... Seriously, how many times do they have to trespass before it sinks in ? #MS is not your friend. None of them are.

Skype also has a history of taking links in private conversations

I've experienced something similar myself, while trying to figure out why one-time login links were expiring for random outlook.com email addresses. Digging into the server logs I saw a Microsoft IP address send a HEAD request of the login link included in the email, which was invalidating the one-time link.

I solved it by having my app ignore HEAD login requests and only process GET requests, as my robots.txt file disallows indexing.

Still really rubbed me the wrong way. I figured it was some kind of anti-phishing gimmick, but the fact that they're just using it to populate their spider is an egregious violation of user trust.

Textbook reason for breaking up big tech companies and keeping them small, or at least preventing them running more than one online service.

Repeat after me: unencrypted email is not a secure communication channel.

Yandex had a big scandal in 2018 when they indexed public Google Docs anonymous editor links and Google didn't expect this so robots.txt was wide open.

Oh ffs... Every time I think it can't get worse, it does...

Here’s a fix for all #backend #dev
https://fosstodon.org/@lil5/108555415793878930

MS has been trying to make Bing work locally for enterprises, so it can find things that were sent to/from you via Bing/Cortana. They have a custom enterprise site that lets you search company-related stuff instead of just public www-stuff. I guess e-mail needs to be indexed in order to do that.

@hbenjamin There are many reasons for systems to automatically visit links contained in emails. Some feel pretty evil (see OP's link) but others are definitely good (inspection for safety).

So the conclusion about not sending magic links is probably a good one.

So that's why Github sends you text to copy-paste on their website.

I guess newly thankful that I use FastMail, even when it's less convenient at times.

Microsoft outlook has also a link protection feature that "scan" links in order to prevent the user to go to a malicious website.

That is the ad.

When the user clicks on the link in outlook email, microsoft is notified and will also make a visit to the link. However this visit will happen a few seconds after the user reaches the link endpoint so he could already be trapped....
This is done to avoid a long delay on link clicks I guess but it defeats the security argument.

Saw your post earlier this week and thought about this one. keys.openpgp.org verify links could also be compromised with this as an exploit. Makes me wonder is if some domains are filtered from the indexing.

And once again, we see why we can’t have nice things. 🤦🏻‍♂️