Slashdot Log In
Security Flaw In Yahoo Mail Exposes Plaintext Authentication Info
Posted by
Soulskill
on Saturday September 27, @11:16AM
from the who-needs-encryption-anyway dept.
from the who-needs-encryption-anyway dept.
holdenkarau writes "Yahoo!'s acquisition of open source mail client Zimbra has apparently brought some baggage to the mail team. The new Yahoo! desktop program transmits the authentication information in plain text. The flaw was discovered during a Yahoo 'hacku' Day at the University of Waterloo (the only Canadian school part of the trip). Compared to the recent news about Gmail exposing the names associated with accounts, this seems downright scary. So, if you have friends or relatives who might have installed Yahoo! desktop and value their e-mail accounts, now would be a good time to get them to change the password and switch back to the web interface."
Related Stories
[+]
Gmail Reveals the Names of All Users 438 comments
ihatespam writes "Have you ever wanted to know the name of admin@gmail.com? Now you can. Through a bug in Google calendars the names of all registered Gmail accounts are now readily available. All you need to find out the names of any gmail address is a Google calendar account yourself. Depending on your view this ranges from a harmless "feature" to a rather serious privacy violation. According to some reports, spammers are already exploiting this "feature"/bug to send personalized spam messages."
[+]
Mobile: Tapping the IPhone, Courtesy of Yahoo! 21 comments
tdalek writes "You may remember the recent Slashdot article about Yahoo! Zimbra Desktop exposing authentication information. It turns out that more Yahoo! applications are affected, although to a lesser degree. With Yahoo!'s desktop program, it transmitted the usernames and passwords in plaintext. Yahoo! is one of the lucky few default e-mail providers on the iPhone; sadly it looks like Apple didn't insist on encryption from Yahoo! On the iPhone, authentication is encrypted, but you can see all the messages sent and received in plaintext. Incoming messages are downloaded in plaintext over the standard imap port. Outgoing mail is a bit harder to find, it is apparently sent by an HTTP post request wrapped up inside a bundle of XML, but security through obscurity isn't very effective. If you have Yahoo! mail on your iPhone (and since its one of the default accounts, I'm assuming quite a few do), now would be a good time to forward it elsewhere for the time being."
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Full
Abbreviated
Hidden
Loading... please wait.
Like Joe Average is going to care... (Score:5, Insightful)
I mean seriously, most sites transmits their passwords in plain text - most people use the same credentials everywhere so whats the big fudging deal?
If you can't trust your upstream provider you should be using someone else anyways.
Reply to This
Re: (Score:3, Informative)
I guess the question to ask then, is how about GMail? Does anyone know if they are more secure? If so, then perhaps it'd be worth our time to convince some more people to switch for the sake of security.
gmail is more secure, it actually requires SSL to connect to the IMAP & POP servers (Yahoo! doesn't support SSL on its IMAP servers).
Re: (Score:2)
Yeah don't get me wrong, I think security is a big issue, but I (we) are not Joe Average.
I got KDEWallet to store my passwords, use different passwords different places, and if the site is just slightly shady I use different login compared to my default (splab).
A good example of forcing security (I think) is the way we handle pin codes at work (used for signing in on your phone). Rather than using a 4 digit code we require a 5 digit and suggest they should not use any part of their credit card pin. Now we c
Re: (Score:2)
Switch to web interface THEN change the password (Score:3, Informative)
After all, you've just told them the app uses plain text, then you tell them to use the app to change the password. :)
That said, the friends and relatives probably use machines running key loggers anyway.
Reply to This
It's a tricky one (Score:2)
Google vs Yahoo. Evil ... or stupid?
How about (Score:2)
time to switch to Linux, go back to the web interface, and change passwords?
Well, desktop Linux has to come one way or another. Haven't you guys heard of guerilla tactics?
This will be fixed in the next version. (Score:5, Informative)
Reply to This
Re: (Score:2, Insightful)
*What* will be fixed in the next version of Zimbra; the fact that *Yahoo* allows cleartext passwords?
Cause that's not Zimbra's fault.
In fact, the *Zimbra* server-side component, while it permits you to allow clear-text POP and IMAP logins, defaults that switch to off.
What's that tag again? Badsummary?
Re:Overreaction... (Score:4, Interesting)
Sure it might be considered paranoid, but then again you don't put locks on your door because you're constantly expecting strangers to get in, you put them in just in case.
This security flaw makes it a piece of cake to get someone's login info if you want it. Then again; most website logins and all kinds of other things are probably the same way, so this is just the status quo.
Reply to This
Parent
Re:Overreaction... (Score:4, Insightful)
No, you put them in to discourage the thief from even trying. Breaking most door locks isn't a particularly hard task, but it is noisy and it's fair more complicated than simply jumping in the open window next door.
That said, a door-locks-to-encryption analogy suffers. In order to tell whether or not you're using encryption, they basically have to have already compromised your system or connection in such a way that they can already see your packets. Maybe they move away at that point, but you've already got some pretty serious problems.
Reply to This
Parent
Re:Overreaction... (Score:4, Informative)
Maybe they move away at that point, but you've already got some pretty serious problems.
Yes, and if you're using plain text password transmission, game over.
The door lock to security analogy of this goes: When the thief twists your door knob to see if it's locked, if you didn't lock it, game over. From the street or some distant spot on the network, everything looks the same. It's ONLY when you attempt to open the door or look at the packets that you find out whether the locks are in use.
Getting to the point that they can see your packets (for many hackers) is as easy as walking up to your front door. On the Internet, it's as easy to walk up to your front door as it is to walk up to the front door of someone in another country. In fact, some hackers walk up to a LOT of front doors to find one that is not locked.
The analogy still works. Those serious problems that you are talking about have always been there. Every cable subscriber in the USA probably has 14 people looking at their front door to see if it's locked. Remember, hackers are not all script kiddies. It only takes one trojan to sit there and monitor the whole neighborhood looking for somewhere else to live and scoop passwords. Aunt Ethel on the corner doesn't know much about computer security, so her pc is the one monitoring your packets. See how this goes?
In this case, you do lock the doors because you are ALWAYS expecting people to try to get in. period. that's juts how it is.
Reply to This
Parent
But no https... (Score:5, Insightful)
Look at the fine picture. It's a wireshark trace. The complaint is that it is issuing IMAP traffic without even SSL wrapping it.
Modern practice, virtually all passwords when transmitted on the wire are protected through encryption. Preferably with x509 certificates mitigating the opportunity for man in the middle (in ssh's case, the more manual known_hosts mechanism). There is good reason.
Just because something was done 10 years ago, doesn't mean it was ok. 10 years ago, most desktops ran Windows 98. 10 years ago, Macs didn't implement preemptive multitasking. 10 years ago, some mailers would gleefully execute attachments without any check with the user. 10 years ago, IE would gleefully execute random ActiveX objects on the web.
Reply to This
Parent
Re:But no https... (Score:4, Insightful)
I don't agree. Maybe for webmail and other web-based authentication schemes, but there are millions of people who use unencrypted POP and whose POP credentials are sent in clear text.
Reply to This
Parent
Re:But no https... (Score:5, Interesting)
but there are millions of people who use unencrypted POP and whose POP credentials are sent in clear text.
And the vast majority of those packets stay within the ISPs private network. You'd have to be directly sniffing the ISP's network, and who, besides the gov't and that ISP has the wherewithal to accomplish such a task?
Reply to This
Parent
Re:But no https... (Score:5, Interesting)
"and who, besides the gov't and that ISP has the wherewithal to accomplish such a task?"
a man by the name of dan egerstad http://it.slashdot.org/article.pl?sid=07/09/11/1730258 [slashdot.org]
apparently, because pop transactions are in the clear, sophisticated government users have used the onion router network to encrypt the traffic and allow remote pop logins.
all you need is to get wireshark, and a nice high speed connection and start running yourself an onion router, it's amazing what you'll get...
as far as the government being able to read e-mail, well, that doesn't sit well with me either. since when can we trust 'big brother' the government? the same government that wasted billions of dollars on haliburton no bid contracts that resulted in substandard work when anything was done at all?
Reply to This
Parent
Re: (Score:2)
What does allow remote pop logins have to do with (quoting from my original message) "packets stay within the ISPs private network"?
Re:But no https... (Score:4, Informative)
How is this different to sniffing passwords from unencrypted http-based logins?
Just go to your local coffee shop with open wireless and sniff the wireless there.
Reply to This
Parent
Re: (Score:2)
Just go to your local coffee shop with open wireless and sniff the wireless there.
But that's not within the ISP's network.
Re: (Score:2)
Exactly. You were the one who made the original assertion about POP packets remaining within the ISP's "private" network. I pointed out that many people use unencrypted wireless sessions at public locations, which tends to refute your point.
So, what's your point?
Re: (Score:2)
made the original assertion about POP packets
I said "the vast majority of those packets stay within the ISPs private network", because I acknowledge that you can usually access pop servers from outside the private network. (That's how I continued to read my email while evacuated for Katrina.)
Re:But no https... (Score:4, Insightful)
Modern practice, virtually all passwords when transmitted on the wire are protected through encryption
Considering a *lot* of users use passwords primarily on the Internet, this statement is incorrect.
Any website that requires you to log in, and does not use https/ssl or HTTP digest access authentication will be sniffable.
AFAIK, hotmail, yahoo and gmail, amazon, ebay all allow users to log in via http - that's probably 90%+ of your users vulnerable right there.
Just to put this in perspective - this may be a backwards step for Yahoo Mail users per. se. but isn't really much worse than your average user logging into a bunch of other websites with the same password anyway.
Reply to This
Parent
Re: (Score:3, Interesting)
More to the point, if you are using one of these free ad ageny supplied services you surely are not using it for anything important or sensitive anyway.
Are you?
Re: (Score:2, Insightful)
I haven't looked carefully at the rest of the platforms that Yahoo provides, but I believe that at least Yahoo Messenger (when connecting with Pidgin anyway) also sends the same auth credentials in plain text. Not that the overall problem is insignificant (*any* time auth credentials are sent, in any context, they should be encrypted), but worrying only about IMAP is naive in this case. (What about POP? What about all the Y! web platforms?)
Yahoo! POP is SSL encrypted (and only available to pro acount users in any case). Part of the worry for me is Yahoo! doesn't disclose that the connection is unencrypted in the default program, and there is no way to get it to use encryption (the server doesn't even support encryption). As far as other Yahoo! properties I have no idea.
Re:You get what you pay for. (Score:4, Funny)
When I signed up for DSL service, it was with SBC Yahoo! DSL, you insensitive clod!
Reply to This
Parent