Security Flaw In Yahoo Mail Exposes Plaintext Authentication Info 66
holdenkarau writes "Yahoo!'s acquisition of open source mail client Zimbra has apparently brought some baggage to the mail team. The new Yahoo! desktop program transmits the authentication information in plain text. The flaw was discovered during a Yahoo 'hacku' Day at the University of Waterloo (the only Canadian school part of the trip). Compared to the recent news about Gmail exposing the names associated with accounts, this seems downright scary. So, if you have friends or relatives who might have installed Yahoo! desktop and value their e-mail accounts, now would be a good time to get them to change the password and switch back to the web interface."
Re:Overreaction... (Score:4, Interesting)
Sure it might be considered paranoid, but then again you don't put locks on your door because you're constantly expecting strangers to get in, you put them in just in case.
This security flaw makes it a piece of cake to get someone's login info if you want it. Then again; most website logins and all kinds of other things are probably the same way, so this is just the status quo.
Re:But no https... (Score:5, Interesting)
but there are millions of people who use unencrypted POP and whose POP credentials are sent in clear text.
And the vast majority of those packets stay within the ISPs private network. You'd have to be directly sniffing the ISP's network, and who, besides the gov't and that ISP has the wherewithal to accomplish such a task?
Re:But no https... (Score:5, Interesting)
"and who, besides the gov't and that ISP has the wherewithal to accomplish such a task?"
a man by the name of dan egerstad http://it.slashdot.org/article.pl?sid=07/09/11/1730258 [slashdot.org]
apparently, because pop transactions are in the clear, sophisticated government users have used the onion router network to encrypt the traffic and allow remote pop logins.
all you need is to get wireshark, and a nice high speed connection and start running yourself an onion router, it's amazing what you'll get...
as far as the government being able to read e-mail, well, that doesn't sit well with me either. since when can we trust 'big brother' the government? the same government that wasted billions of dollars on haliburton no bid contracts that resulted in substandard work when anything was done at all?
You get what you pay for. (Score:1, Interesting)
I have never liked the concept of free E-mail. Like Robert Heinlein said, TANSTAAFL.
This is why I recommend people use paid ISPs for their real E-mail accounts, and perhaps use Yahoo, Google, or Rocketmail for registering on spammy websites where they want an E-mail address so they can make their advertisers happy.
I will sound like a MS shill here, but this something I like about MS Exchange. The POP3, IMAP, and OWA services can all be configured to be SSL/TLS only. I know that with an Exchange hosted provider, I will get a certain service level of a known, certifed, and secure mail server, and most Exchange providers also offer a high uptime in their SLA.
To boot, a dedicated ISP's bread and butter is ensuring the security of their customer's E-mail, so they tend to be far more proactive in general in ensuring that mail stays put.
Re:Overreaction... (Score:3, Interesting)
More to the point, if you are using one of these free ad ageny supplied services you surely are not using it for anything important or sensitive anyway.
Are you?