Security Flaw In Yahoo Mail Exposes Plaintext Authentication Info 66
holdenkarau writes "Yahoo!'s acquisition of open source mail client Zimbra has apparently brought some baggage to the mail team. The new Yahoo! desktop program transmits the authentication information in plain text. The flaw was discovered during a Yahoo 'hacku' Day at the University of Waterloo (the only Canadian school part of the trip). Compared to the recent news about Gmail exposing the names associated with accounts, this seems downright scary. So, if you have friends or relatives who might have installed Yahoo! desktop and value their e-mail accounts, now would be a good time to get them to change the password and switch back to the web interface."
Like Joe Average is going to care... (Score:5, Insightful)
I mean seriously, most sites transmits their passwords in plain text - most people use the same credentials everywhere so whats the big fudging deal?
If you can't trust your upstream provider you should be using someone else anyways.
But no https... (Score:5, Insightful)
Look at the fine picture. It's a wireshark trace. The complaint is that it is issuing IMAP traffic without even SSL wrapping it.
Modern practice, virtually all passwords when transmitted on the wire are protected through encryption. Preferably with x509 certificates mitigating the opportunity for man in the middle (in ssh's case, the more manual known_hosts mechanism). There is good reason.
Just because something was done 10 years ago, doesn't mean it was ok. 10 years ago, most desktops ran Windows 98. 10 years ago, Macs didn't implement preemptive multitasking. 10 years ago, some mailers would gleefully execute attachments without any check with the user. 10 years ago, IE would gleefully execute random ActiveX objects on the web.
Re:But no https... (Score:4, Insightful)
I don't agree. Maybe for webmail and other web-based authentication schemes, but there are millions of people who use unencrypted POP and whose POP credentials are sent in clear text.
Re:Overreaction... (Score:4, Insightful)
No, you put them in to discourage the thief from even trying. Breaking most door locks isn't a particularly hard task, but it is noisy and it's fair more complicated than simply jumping in the open window next door.
That said, a door-locks-to-encryption analogy suffers. In order to tell whether or not you're using encryption, they basically have to have already compromised your system or connection in such a way that they can already see your packets. Maybe they move away at that point, but you've already got some pretty serious problems.
Re:Not significant? (Score:2, Insightful)
I haven't looked carefully at the rest of the platforms that Yahoo provides, but I believe that at least Yahoo Messenger (when connecting with Pidgin anyway) also sends the same auth credentials in plain text. Not that the overall problem is insignificant (*any* time auth credentials are sent, in any context, they should be encrypted), but worrying only about IMAP is naive in this case. (What about POP? What about all the Y! web platforms?)
Yahoo! POP is SSL encrypted (and only available to pro acount users in any case). Part of the worry for me is Yahoo! doesn't disclose that the connection is unencrypted in the default program, and there is no way to get it to use encryption (the server doesn't even support encryption). As far as other Yahoo! properties I have no idea.
Re:This will be fixed in the next version. (Score:2, Insightful)
*What* will be fixed in the next version of Zimbra; the fact that *Yahoo* allows cleartext passwords?
Cause that's not Zimbra's fault.
In fact, the *Zimbra* server-side component, while it permits you to allow clear-text POP and IMAP logins, defaults that switch to off.
What's that tag again? Badsummary?
Re:But no https... (Score:4, Insightful)
Modern practice, virtually all passwords when transmitted on the wire are protected through encryption
Considering a *lot* of users use passwords primarily on the Internet, this statement is incorrect.
Any website that requires you to log in, and does not use https/ssl or HTTP digest access authentication will be sniffable.
AFAIK, hotmail, yahoo and gmail, amazon, ebay all allow users to log in via http - that's probably 90%+ of your users vulnerable right there.
Just to put this in perspective - this may be a backwards step for Yahoo Mail users per. se. but isn't really much worse than your average user logging into a bunch of other websites with the same password anyway.