Orange.fr logs me into email and my account automatically.

[Jez Caudle]

I have seen something posted along these lines elsewhere on this forum but I couldn't find a solution.

I have just had ADSL installed in my rental flat. I have gone for the service from Orange with the TV channels and phone.

Setting up the LiveBox and the TV was really easy - I have configured the dynamic DNS so I can do remote admin etc.

I decided to see if I could administer my Orange account and visited Orange.fr

To my horror it automatically logged me in and allowed me to read the 8 emails Orange have sent me.

I tried visiting the web site using a different browser and it also logged me on automatically. I then asked the wife to try with her laptop and the same thing happened - straight in, no password.

I'm leaving in the morning and have clients coming in. If they connect to the LiveBox and then visit Orange.fr they can administer my account, read my emails - do what they like.

Does anyone know a way of closing this obvious security hole the size of bus?

[Which idiot at Orange thought that this was a good idea? - I'm not expecting an answer to this question.]

[Mr Coeur de Lion]

That's odd.

I always have to log in to my orange account although it brings up the login name automatically.

Perhaps you've changed a setting too many?

[AnOther]

Jez, didn't realise that you had raised the same point on another almost concurrent thread !

I'll repeat the response I my posted there:

*************

I'm afraid that's the way it is with the Orange messengeire (or at least for newer accounts according to Richards experience)

Obviously

somebody a bit lacking in foresight though it would be a welcome

convenience for the Livebox to be permanently logged in with no way

whatsoever to log out. If you go to Orange.fr from your own Livebox

then yes, you will find that you are logged in but of course from

anywhere else you wouldn't be.

If you are concerned about

friends or guests being able to access your email then all you can do

is not use Orange for your email and instead sign up for a Yahoo or

Gmail account - or change ISP being sure to tel Orange why.

It's seldom a good idea to tie yourself to an ISP's email which you'll likely have to kiss goodbye to if you changed.

********************

I'm surprised you find yourself logged in from anywhere, possibly it's something to do with your DynDNS setup. I have the identical package but am not logged into my account via Orange.fr when away from home, as I am now.

Have you tried deleting your cookies ?

[minnie]

I should add that we are not logged in automatically when away from home computer

[Quillan]

OK this is what you do.

In your browser go to the orange website (www.orange.fr) .

In the top left under under the Orange banner you will see and @sign followed by your name. Slightly to the right of this is a small drawing of a persons head and shoulders with a X across it. Click on this and you will be logged out. When you login (or identify yourself) under the password box and to the left is a box which should have no tick in it as that is the box, when ticked, that tells the machine to remember your password. If the box is not ticked, which is the default, then everytime you go to the Orange page you will have to login. I have just tested this and thats the way it works.

Personally I didn't use the Orange software and use Outlook to retrieve and send my emails which deletes everything from the server every time I connect to get my emails (it stores them locally on my machine). You will find email reception and transmissions much faster using Orange as opposed to hotmail etc.

If you think friends and guests are going to use your computer I would strongly suggest that you create another user like Guest for example. You can remove admin rights and lock the PC so people can't install or remove programs plus they wont have access to programs you have installed and when they start the browser it won't automatically log them in to Orange. Personally I set my home page for guests to by own website.

 

[AnOther]

Well there is another lie to add to the long list that FT have told me then !

I called and asked about this when I first signed up with them just last month as I had also heard about the problem but was told I couldn't log out, not that I use or plan to use Orange mail anyway.

As a test I've just logged in from where I am and successfully logged out again and in the morning I'll have 'er indoors go to Orange.fr and see if she is automatically logged in or not.

I'll be back !

[Jez Caudle]

Just got back to the UK and of course it doesn't recognise my IP address so asks me to log in.

On the Cookie front, it isn't using cookies. I deleted all my cookies when I tried with Safari and it still worked. It still worked with Firefox and it still worked using IE7 when I fired up a virtual machine. It worked for my wife when she tried with her laptop. I didn't try my iPhone but I'm sure it would have gone straight in.

Orange.fr recognises my IP address and the LiveBox that it is bound to and as a "convenience" logs me in without a user name and password. This is such a good idea the banks should adopt it - NOT!

I was thinking of altering the routing tables on the LiveBox so that Orange.fr became inaccessible but I didn't have time.

I don't need the email - I just don't want my rental clients being able to order mobile phones and other services when they are sat in my flat.

Thanks for the tip re:logging out, but I'm back in the UK now so I can't actually follow your advice :-(

Time to call the help line and try and not be abusive - as someone who is responsible for IT Security in my daily job that is going to be difficult.

Looking forward to seeing the results of AnOther's wife's experiment.

[Quillan]

[quote user="Jez Caudle"]Just got back to the UK and of course it doesn't recognise my IP address so asks me to log in. On the Cookie front, it isn't using cookies. I deleted all my cookies when I tried with Safari and it still worked. It still worked with Firefox and it still worked using IE7 when I fired up a virtual machine. It worked for my wife when she tried with her laptop. I didn't try my iPhone but I'm sure it would have gone straight in. Orange.fr recognises my IP address and the LiveBox that it is bound to and as a "convenience" logs me in without a user name and password. This is such a good idea the banks should adopt it - NOT! I was thinking of altering the routing tables on the LiveBox so that Orange.fr became inaccessible but I didn't have time. I don't need the email - I just don't want my rental clients being able to order mobile phones and other services when they are sat in my flat. Thanks for the tip re:logging out, but I'm back in the UK now so I can't actually follow your advice :-( Time to call the help line and try and not be abusive - as someone who is responsible for IT Security in my daily job that is going to be difficult. Looking forward to seeing the results of AnOther's wife's experiment.[/quote]

If you logout then login without the box ticked it will not log you in again automatically next time even when connected to the Livebox. Well it works for me anyway.

[AnOther]

Didn't have time this morning but will try the experiment this evening and report back.

I suspect what may happen is that she will find herself logged in and will be able to logout however it will automatically log her back in when she revists Orange.fr.

Quillan may be right but I don't think this is the default behaviour so you'd have to know to log out and back in with the 'remember me' box unticked, a box you will never see of course until you do first log out !

Lets see this evening.

[Jez Caudle]

If you logout then login without the box ticked it will not log you in again automatically next time even when connected to the Livebox. Well it works for me anyway.

----

But I can't try it because I'm in the UK now :-(

I'll have to send someone round to do it but they'll charge me €35 per hour for this. I did't have time to ring the help line today - something for tomorrows to-do list.

Thanks every one for your help. I only joined the forum to try and get some help but I'll hang around and see if I can help others.

[AnOther]

OK peeps, here's the story.

Had 'er indoors go to Orange.fr, she was logged automatically and saw NO 'persons head and shoulders with a X across it' as Quillan describes to log out, nor any other obvious option to do so.

I, at exactly the same time, was logged in from my present location and did have it to log out with so it would appear that two different pages, if not sites or servers, are in play here.

[gosub]

[quote user="AnOther"]OK peeps, here's the story.

Had 'er indoors go to Orange.fr, she was logged automatically and saw NO 'persons head and shoulders with a X across it' as Quillan describes to log out, nor any other obvious option to do so.

I, at exactly the same time, was logged in from my present location and did have it to log out with so it would appear that two different pages, if not sites or servers, are in play here.

[/quote]

You need to go to the Messagerie page, then click on the X, the next time you go to the Orange.fr page or  Messagerie you will not be recognised.

[gosub]

[quote user="Jez Caudle"]If you logout then login without the box ticked it will not log you in again automatically next time even when connected to the Livebox. Well it works for me anyway.

----

But I can't try it because I'm in the UK now :-(

I'll have to send someone round to do it but they'll charge me €35 per hour for this. I did't have time to ring the help line today - something for tomorrows to-do list.

Thanks every one for your help. I only joined the forum to try and get some help but I'll hang around and see if I can help others.[/quote]

You can do it from the UK, go to the Orange "messagerie" Page and click the persons head with the X on it, if you hover over it, says something like "ne plus etre identifié comme xxxxxxxx"

[AnOther]

[quote user="gosub"]You need to go to the Messagerie page, then click on the X, the next time you go to the Orange.fr page or  Messagerie you will not be recognised.[/quote]You miss the point gosub, there is no X for her. Also when I first got my Livebox I was immediately logged in the first time I went to Orange.fr.

It's a known issue, see 4th post this forum:

http://livebox.asso.fr/forum/viewtopic.php?f=17&t=19247&view=next

Logging out form here (UK) has no effect on her and the Livebox

EDIT: From assistance.orange.fr

After you have logged on orange.fr, it is possible, after use, to terminate your identification. This feature is however available only for users who need to identify.

Which means that from a remote location you have to log in - hence you can log out - but because at home login is automatic there is no logout option, exactly my experience with 'er indoors.

[Quillan]

Are you running Windows XP and can you create a 'login' for your wife. I am thinking that if you both have different logins to Windows that the profiles will be seperate for both you and her. Perhaps she would then get her emails when loged in as her and you would get your emails when logged in as you.

All I can say is I am running Wifi to my router downstairs and what I described is what I get. I personally have it logged out because as I said I get my emails via Outlook or my mobile phone.

[AnOther]

She has her own computer Quillan and neither of us want or need Orange mail, nor plan to and as far as I know tonight, at my request, was the first time she has ever visited Orange.fr.

I don't see how a different profile on a computer is going to affect anything though, the automatic login has to be a function of the Livebox and Orange's system and anything plugged into it via ethernet or wirelessly connected will see the messengerie if a user goes to Orange.fr.

Maybe it's a hardware/firmware issue. Mine is the new Livebox 2, and it sounds like the OP's may be the same, however I believe yours is probably older and a different model. Also I have not used the Orange CD at all so whether that makes any odds I couldn't say.

[Quillan]

I just read the posts in the forum you gave a link to. It seems to me that the 'work around' to get the little symbol to disconnect (or even appear) only comes up if you have two or more accounts, or so some guy there says. If you only have one account you won't get the option nor the symbol.

I can, to a degree, see the logic of the oink that programmed this bit and its quite clever in a way but then its not for everyone so a choice would be nice especially if you PC is in a 'public' area of the house.

The most alarming thing is IF it also does not ask you to login if you go to your account (not the email account but the bit where you view your bills etc). People would be able to change things and see your payment details. I assume they had the common sense not to allow this to happen but as I don't have the problem you guys are getting I can't test that theory out.

[AnOther]

I agree Quillan and I fear that your IF scenario is fact but I can't prove it form afar, another experiment for 'er indoors later maybe.

It beggers belief that somebody thought this was a good idea. It's a shocking and frankly imbecillic 'feature' which cannot have been thought through properly, if at all. Even ignoring the potential threat from outside I would guess that it is the minority of households and customers which will consist of single users so there is an inherent threat from within.

I wonder why yours is different, is it simply because of a different Livebox ?

[Quillan]

Thinking about my last post perhaps it's because I have three login's that I have the the little symbol. My Livebox is just over a year old by the way, its a 'wedgy' shape if that helps.

For a lot of single users I can se the logic of the idea but as I said its not for everyone. The bit that I think is stupid is that you don't have a choice. Perhaps if they get loads of complaints, like it appears they are having, that they may change it back.

What I am waiting for is the ability to 'call forward' which we had on our old landline. That facility would make life so much easier for us. I was told its coming but when is the big question.

[AnOther]

How do you have 3 logins ?

[Quillan]

I created three email accounts, one for me, one for the wife and another which I use for Ebay. You can create up to four making a total, including the original of five. You can also change the name of the original one.