Forgot your password?
typodupeerror
Yahoo! Businesses The Internet Security Software

Security Flaw In Yahoo Mail Exposes Plaintext Authentication Info 66

Posted by Soulskill
from the who-needs-encryption-anyway dept.
holdenkarau writes "Yahoo!'s acquisition of open source mail client Zimbra has apparently brought some baggage to the mail team. The new Yahoo! desktop program transmits the authentication information in plain text. The flaw was discovered during a Yahoo 'hacku' Day at the University of Waterloo (the only Canadian school part of the trip). Compared to the recent news about Gmail exposing the names associated with accounts, this seems downright scary. So, if you have friends or relatives who might have installed Yahoo! desktop and value their e-mail accounts, now would be a good time to get them to change the password and switch back to the web interface."
This discussion has been archived. No new comments can be posted.

Security Flaw In Yahoo Mail Exposes Plaintext Authentication Info

Comments Filter:
  • by Splab (574204) on Saturday September 27, 2008 @11:25AM (#25177561)

    I mean seriously, most sites transmits their passwords in plain text - most people use the same credentials everywhere so whats the big fudging deal?

    If you can't trust your upstream provider you should be using someone else anyways.

    • by cwtrex (912286)

      I guess the question to ask then, is how about GMail? Does anyone know if they are more secure? If so, then perhaps it'd be worth our time to convince some more people to switch for the sake of security.

      • Re: (Score:3, Informative)

        by holdenkarau (1130485)

        I guess the question to ask then, is how about GMail? Does anyone know if they are more secure? If so, then perhaps it'd be worth our time to convince some more people to switch for the sake of security.

        gmail is more secure, it actually requires SSL to connect to the IMAP & POP servers (Yahoo! doesn't support SSL on its IMAP servers).

    • I mean seriously, most sites transmits their passwords in plain text - most people use the same credentials everywhere so whats the big fudging deal? If you can't trust your upstream provider you should be using someone else anyways.

      I agree, the average Joe uses their street address, their birthday or their children's names as their password and use it everywhere. You don't have to intercept their password to hack it if you really want to. That being said, because they use the same username/password e

      • by Splab (574204)

        Yeah don't get me wrong, I think security is a big issue, but I (we) are not Joe Average.

        I got KDEWallet to store my passwords, use different passwords different places, and if the site is just slightly shady I use different login compared to my default (splab).

        A good example of forcing security (I think) is the way we handle pin codes at work (used for signing in on your phone). Rather than using a 4 digit code we require a 5 digit and suggest they should not use any part of their credit card pin. Now we c

      • by hairyfeet (841228)
        That is why I tell my users to use the number on their keyboard,or monitor,etc. That gives them a nice mix of letters and numbers and no dictionary attacks,and if they forget they can flip the keyboard over or look at the back of the monitor. For example,if I used the keyboard I am typing on I would have RT-231-btw,which makes a nice obscure password,but if I needed it I could just flip the keyboard over. Certainly better IMHO than having them use the name of their cat or their b-day.
        • by Splab (574204)

          Mix it up with something known, yeah someone knowing the procedure would still be through, but as you said, it beats nothing.

          However, still not a good solution.

          • by hairyfeet (841228)
            This is to help with online hackers,NOT the guy in the next cubicle. Because I have found working with SMBs that the guy in the next cubicle can usually go "My PC is acting up and I have to get this mailed. Can I use yours for a sec?" and there you go. But the odds of an online hacker guessing the arcane number+letters+dashes used in your average keyboard or monitor model number is pretty non-existent. And don't forget,we are talking about users that before they talked to me had passwords like "fluffy" and
  • I haven't looked carefully at the rest of the platforms that Yahoo provides, but I believe that at least Yahoo Messenger (when connecting with Pidgin anyway) also sends the same auth credentials in plain text. Not that the overall problem is insignificant (*any* time auth credentials are sent, in any context, they should be encrypted), but worrying only about IMAP is naive in this case. (What about POP? What about all the Y! web platforms?)

    • Re: (Score:2, Insightful)

      by holdenkarau (1130485)

      I haven't looked carefully at the rest of the platforms that Yahoo provides, but I believe that at least Yahoo Messenger (when connecting with Pidgin anyway) also sends the same auth credentials in plain text. Not that the overall problem is insignificant (*any* time auth credentials are sent, in any context, they should be encrypted), but worrying only about IMAP is naive in this case. (What about POP? What about all the Y! web platforms?)

      Yahoo! POP is SSL encrypted (and only available to pro acount users in any case). Part of the worry for me is Yahoo! doesn't disclose that the connection is unencrypted in the default program, and there is no way to get it to use encryption (the server doesn't even support encryption). As far as other Yahoo! properties I have no idea.

  • by Scott Kevill (1080991) on Saturday September 27, 2008 @11:58AM (#25177739) Homepage

    After all, you've just told them the app uses plain text, then you tell them to use the app to change the password. :)

    That said, the friends and relatives probably use machines running key loggers anyway.

  • Google vs Yahoo. Evil ... or stupid?

  • by Anonymous Coward

    I have never liked the concept of free E-mail. Like Robert Heinlein said, TANSTAAFL.

    This is why I recommend people use paid ISPs for their real E-mail accounts, and perhaps use Yahoo, Google, or Rocketmail for registering on spammy websites where they want an E-mail address so they can make their advertisers happy.

    I will sound like a MS shill here, but this something I like about MS Exchange. The POP3, IMAP, and OWA services can all be configured to be SSL/TLS only. I know that with an Exchange hosted pr

    • Nice you have an opinion, now where is your analysis? I like having the same email after 8 years and changing 5 different isps and 4 different jobs. The spam filtering works reasonably well and I have access to old emails from the entire period. I can get to my email any time/any where. I can count on one hand the number of times the service wasn't available.

      I like yahoo mail.

    • by Mr Z (6791) on Saturday September 27, 2008 @05:31PM (#25179807) Homepage Journal

      This is why I recommend people use paid ISPs for their real E-mail accounts, and perhaps use Yahoo, Google, or Rocketmail for registering on spammy websites where they want an E-mail address so they can make their advertisers happy.

      When I signed up for DSL service, it was with SBC Yahoo! DSL, you insensitive clod!

    • by RiffRafff (234408)

      "This is why I recommend people use paid ISPs for their real E-mail accounts, and perhaps use Yahoo, Google, or Rocketmail for registering on spammy websites where they want an E-mail address so they can make their advertisers happy."

      Guess what? More and more "paid ISPs" are cutting costs and decommissioning their mail servers in favor of Google Apps/Gmail. ISP.com, for example, is currently switching their users over.

  • time to switch to Linux, go back to the web interface, and change passwords?

    Well, desktop Linux has to come one way or another. Haven't you guys heard of guerilla tactics?

  • by mkraft (200694) on Saturday September 27, 2008 @02:20PM (#25178543)
    According to a post by a Zimbra employee over at their forums [zimbra.com]. This will be corrected in the next version of Zimbra Desktop.
    • Re: (Score:2, Insightful)

      by jra (5600)

      *What* will be fixed in the next version of Zimbra; the fact that *Yahoo* allows cleartext passwords?

      Cause that's not Zimbra's fault.

      In fact, the *Zimbra* server-side component, while it permits you to allow clear-text POP and IMAP logins, defaults that switch to off.

      What's that tag again? Badsummary?

    • by antdude (79039)

      Whgen is the next version coming out? Why no patches/hotfixes for the released one?

      • by Phroggy (441)

        Whgen is the next version coming out? Why no patches/hotfixes for the released one?

        Usually that's a clear sign that the problem isn't a bug, but a design flaw; they can't just patch it, because that would break things.

  • I don't have to worry because I didn't used my yahoo mailbox for any official purposes.

    ah I shouldn't joke on that.

    • by Dan541 (1032000)

      The thing about corporate email accounts is that they are setup by the IT department who don't let users use dodgy password recovery systems.

    • by DanJ_UK (980165) *
      You mean, unofficial purposes? :)
  • Don't use Yahoo.

    Don't use AOL.

    Don't use Microsoft, for God's sakes, or you'll never get your back emails out of it if you decide to move to another service.

    Don't even use Gmail (except as a spam trap or for signing up to Web sites, like I do.)

    Don't use crap in general.

    Get a REAL email account - from your ISP or from your Web hosting provider - that you control, that has security, that is accessible by Web or email client. Then get a decent email client like Thunderbird. It's not rocket science.

  • One more reason not to use Yahoo for certain sensitive needs.

    (incoming overrated's in 3...2...1...)

  • http://research.zscaler.com/2008/09/trusting-cloud.html [zscaler.com] When leveraging cloud based apps, in this case webmail, security is vital not only in the cloud but during transmission to the cloud. While this is often the responsibility of the enterprise itself, here is a situation where Yahoo! was responsible for all components (client and server) and still didn't get it right. Cloud computing will not succeed unless enterprises are able to trust those making online services available to them. Situations such as

It is the quality rather than the quantity that matters. - Lucius Annaeus Seneca (4 B.C. - A.D. 65)

Working...