Windows 10 Wi-Fi Sense security warning over automatically shared passwords

Wi-Fi Sense feature shares Wi-Fi passwords with EVERYONE in your Outlook, Skype, Facebook and other contacts list

Microsoft has dropped a major security clanger with a new feature in Windows 10 that has been pinpointed as a glaring security hole - less than one month before the new operating system is due to launch.

Wi-Fi Sense, which actually debuted in Windows Phone, enables a user to share access to Wi-Fi networks that require a password for access with all their contacts - in Skype, Outlook.com (formerly Hotmail) and even Facebook. That means that when their contacts pass a Wi-Fi network that they have a password for, it will enable them to access the network without having to ask for the password.

While it doesn't directly reveal the password to everyone the user has ever sent an email to, it does mean that the password is taken and stored, not just on the original user's device, but also by Microsoft and, by extension, any of the user's contacts.

That, at least, is what the Wi-Fi Sense frequently asked questions states: "For networks you choose to share access to, the password is sent over an encrypted connection and stored in an encrypted file on a Microsoft server, and then sent over a secure connection to your contacts' phone if they use Wi-Fi Sense and they're in range of the Wi-Fi network you shared."

It also provides Microsoft the unprecedented means to map users, their connections and also where they go - and, potentially, to sell that data to third parties, data protection laws notwithstanding.

The only way a Windows 10 user can prevent their own Wi-Fi network from working with Wi-Fi Sense, and potentially letting Microsoft take the password and share it with everyone in the world, is to add the suffix "_optout" to the Wi-Fi networks name. Furthermore, they must also add "_nomap" if they don't want to be mapped by Microsoft as well.

For many organisations, though, particularly organisations that have valuable intellectual property or sensitive information to keep safe, this automatic sharing of Wi-Fi passwords represents another security risk - especially among less IT-literate staff, who may not even be aware of the full implications of the feature.

Microsoft introduced the feature in Windows Phone 8.1, but barely anyone noticed the security risk because of its low market share. However, with bring your own device (BYOD) and Windows 10 the spotlight has suddenly been swung on Wi-Fi Sense.

Countdown to Windows 10 - read more:

• Thinking of upgrading to Windows 10? It won't take long, but existing software may not work
• 'Fess up, Microsoft: Windows 10 is merely a rebranded Windows 8
• As Microsoft flogs Bing Maps to Uber and Android rumours re-emerge, is the end nigh for Windows Phone?
• 73 per cent of organisations to install Windows 10 within the next two years
• Confirmed: Windows 10 Enterprise does NOT qualify for free upgrade, says Microsoft
• Microsoft's new Windows 10 licensing twist - OEMs must pay MORE for better laptops
• Has Microsoft u-turned on Windows 10 ‘free for everyone' promises?Microsoft confirms Windows 10 launch date: 29 July
• Is a Windows Store spring-clean enough for Microsoft to win back developers for Windows 10?
• Microsoft details seven editions of Windows 10 - including versions for enterprise, mobile and Internet of Things
• No more Patch Tuesday: Windows 10 to update automatically every day
• Paddy Power to move to Windows 10 but is still deciding between Office 365 or Google Apps