Windows Phone 7 keeps synchronising despite changed Live password

Discussion in 'Mobile and Portable' started by s_a, Sep 6, 2012.

  1. s_a

    s_a MDL Novice

    Apr 8, 2011
    #1 s_a, Sep 6, 2012
    Last edited: Sep 6, 2012
    Anybody care to verify this?

    The situation:
    * Factory restored my Nokia Lumia 610 with Windows Phone 7 (7.10)
    * Created a new (empty) Windows Live account (on
    * Created a couple of fake contacts in "People" (on
    * Associated my phone with the new Windows Live account
    * Synchronised the phone with my Live account - contacts transferred to phone
    * Changed Live password (on
    * Just to check, tried to access Marketplace - prompted to enter password (since the password in my phone was wrong)
    * Deleted a few contacts on the phone
    * Synchronised the phone with my Live account - no objections as to the changed password
    * Looked in "people" on (Live account) - Deleted phone contacts are gone from here as well!
    * Deleted a few contacts on
    * Synchronised the phone with my Live account - no objections as to the changed password
    * Looked in "People" on the phone - Deleted Live contacts are gone from here as well!
    * Added some appointments in the Live (Hotmail) Calendar
    * Synchronised the phone with my Live account - no objections as to the changed password
    * New appointments show up in the Phone calendar!

    I even tried this without the uSIM (using WiFi) - same results (without the hassle of giving uSIM PIN)

    How is this even possible? Even if you manually specify the wrong password in the phone settings (email+accounts/Windows live), synchronisation will always be successful.

    * Assume you lose your phone (stolen). Changing the password on the Live account to be sure nobody accesses it seems like good idea. Contacting the Service provider to block the uSIM also seems legit. Apparently, that's not enough. The person who stole your phone can delete and add contacts and appointments as he pleases. He can also monitor any alterations to the contacts and calendar.

    * Assume you are a businessman (who does not use Exchange to sync). Your competitor arranges to steal your phone. You change the password on Windows Live and move on, thinking you are safe. You still book appointments using either a new Windows Phone or via other services connected to your Live/Hotmail calendar. You are oblivious to the fact that your competitor can track any alterations to your Live calendar and thus can beat you to client meetings, or worse.

    * Assume you are a kidnapper on the prowl for a victim, a businessman. You steal your victim's Windows Phone. The victim changes the Live password and buys a new phone, carrying on as before. You sit back and monitor the victim's calendar, moving to strike on the best opportunity that the Calendar suggests.

    Microsoft's "new" service gives you the ability to restore deleted contacts (from the last 30 days), so unless discovered later, they can be restored. However, the Calendar on is still the old Hotmail Calendar and that does NOT have any possibility to restore deleted items. Gone forever. So much for "cloud backup)

    What you should do is, of course, to kill the Live account, but I strongly believe that many will think a password change will do the trick.

    However, the most important question is: What kind of link is there between the Live account and the Phone unit? As I have discovered, the connection goes beyond and around the password protection. Somehow the Phone unit is uniquely paired with the Live account once you have connected it. Is this by "design" (ie as a non-interruptible "service" to the user who'll always stay synchronised) or a security flaw allowing anybody access to your Live account? Either way, it's beyond the user's control.

    Anybody care to verify this?