Security Flaw In Yahoo Mail Exposes Plaintext Authentication Info

← Back to Stories (view on slashdot.org)

Security Flaw In Yahoo Mail Exposes Plaintext Authentication Info

Posted by Soulskill on Saturday September 27, 2008 @03:16AM from the who-needs-encryption-anyway dept.

holdenkarau writes "Yahoo!'s acquisition of open source mail client Zimbra has apparently brought some baggage to the mail team. The new Yahoo! desktop program transmits the authentication information in plain text. The flaw was discovered during a Yahoo 'hacku' Day at the University of Waterloo (the only Canadian school part of the trip). Compared to the recent news about Gmail exposing the names associated with accounts, this seems downright scary. So, if you have friends or relatives who might have installed Yahoo! desktop and value their e-mail accounts, now would be a good time to get them to change the password and switch back to the web interface."

66 comments

Min score:

Reason:

Sort:

Overreaction... by Manip · 2008-09-27 03:24 · Score: 0

Sorry but telling people to switch to the web interface and change the password is more than just a little paranoid.
This might be hard to believe but less than ten years ago virtual all passwords were transmitted in plain text.
If you aren't surfing in insecure wireless then you really have nothing to worry about. And if you are surfing on insecure wireless than frankly you should assume HTTPs will protect you.
1. Re:Overreaction... by The+Gaytriot · 2008-09-27 03:35 · Score: 4, Interesting
  
  Sure it might be considered paranoid, but then again you don't put locks on your door because you're constantly expecting strangers to get in, you put them in just in case.
  This security flaw makes it a piece of cake to get someone's login info if you want it. Then again; most website logins and all kinds of other things are probably the same way, so this is just the status quo.
  
  --
  Srsly u guys. U guys, srsly.
2. Re:Overreaction... by Dhalka226 · 2008-09-27 03:47 · Score: 3, Insightful
  
  Sure it might be considered paranoid, but then again you don't put locks on your door because you're constantly expecting strangers to get in, you put them in just in case.
  No, you put them in to discourage the thief from even trying. Breaking most door locks isn't a particularly hard task, but it is noisy and it's fair more complicated than simply jumping in the open window next door.
  That said, a door-locks-to-encryption analogy suffers. In order to tell whether or not you're using encryption, they basically have to have already compromised your system or connection in such a way that they can already see your packets. Maybe they move away at that point, but you've already got some pretty serious problems.
3. Re:Overreaction... by snl2587 · 2008-09-27 03:47 · Score: 0, Offtopic
  
  This might be hard to believe but less than ten years ago virtual all passwords were transmitted in plain text.
  This just in: man wakes from 10 year slumber to find that the internet has changed and no one cares about Monica Lewinsky anymore. Story at 11.
4. Re:Overreaction... by zappepcs · 2008-09-27 04:17 · Score: 3, Informative
  
  Maybe they move away at that point, but you've already got some pretty serious problems.
  Yes, and if you're using plain text password transmission, game over.
  The door lock to security analogy of this goes: When the thief twists your door knob to see if it's locked, if you didn't lock it, game over. From the street or some distant spot on the network, everything looks the same. It's ONLY when you attempt to open the door or look at the packets that you find out whether the locks are in use.
  Getting to the point that they can see your packets (for many hackers) is as easy as walking up to your front door. On the Internet, it's as easy to walk up to your front door as it is to walk up to the front door of someone in another country. In fact, some hackers walk up to a LOT of front doors to find one that is not locked.
  The analogy still works. Those serious problems that you are talking about have always been there. Every cable subscriber in the USA probably has 14 people looking at their front door to see if it's locked. Remember, hackers are not all script kiddies. It only takes one trojan to sit there and monitor the whole neighborhood looking for somewhere else to live and scoop passwords. Aunt Ethel on the corner doesn't know much about computer security, so her pc is the one monitoring your packets. See how this goes?
  In this case, you do lock the doors because you are ALWAYS expecting people to try to get in. period. that's juts how it is.
  
  --
  Support NYCountryLawyer RIAA vs People
5. Re:Overreaction... by John+Hasler · 2008-09-27 05:33 · Score: 2, Interesting
  
  More to the point, if you are using one of these free ad ageny supplied services you surely are not using it for anything important or sensitive anyway.
  Are you?
  
  --
  Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
6. Re:Overreaction... by slugstone · 2008-09-27 07:55 · Score: 2, Funny
  
  More to the point, if you are using one of these free ad ageny supplied services you surely are not using it for anything important or sensitive anyway.
  Are you?
  You give the general pubic to much credit or are you joking?
7. Re:Overreaction... by DMUTPeregrine · 2008-09-27 13:57 · Score: 1
  
  Most website logins are, but they shouldn't be. Something as simple as SAWASC or as complex as SSL can easily protect logins. If SSL is too processor intensive, use something like SAWASC (Shared secret authentication.)
  
  --
  Not a sentence!
8. Re:Overreaction... by owlstead · 2008-09-28 07:11 · Score: 1
  
  Bollocks. As long as I'm using a wired service using my trusted ISP, then I would be pretty safe against any attacks on my IP packets. Not so with an open door, everybody can walk in. And even if I'm just using unsecured wifi, I don't think many hackers will physically go out of place just to hack my Yahoo account. Then there is the gain to be had, which is a lot less. Also less risk, but the comparison is completely flawed, whichever way you look at it.
  Then again, SSL is certainly to be preferred.
9. Re:Overreaction... by ikeman32 · 2008-10-01 03:13 · Score: 1
  
  The lock to encryption analogy is a good one for sure; however, locks only keep out the honest people. Because even an honest person will check their neighbor's knob to see if the door is locked. A dishonest person like an electric curent will find the path of least resistence. A determined person will keep comming back until makes a mistake.
Like Joe Average is going to care... by Splab · 2008-09-27 03:25 · Score: 4, Insightful

I mean seriously, most sites transmits their passwords in plain text - most people use the same credentials everywhere so whats the big fudging deal?
If you can't trust your upstream provider you should be using someone else anyways.
1. Re:Like Joe Average is going to care... by cwtrex · 2008-09-27 03:45 · Score: 1
  
  I guess the question to ask then, is how about GMail? Does anyone know if they are more secure? If so, then perhaps it'd be worth our time to convince some more people to switch for the sake of security.
2. Re:Like Joe Average is going to care... by holdenkarau · 2008-09-27 03:52 · Score: 3, Informative
  
  I guess the question to ask then, is how about GMail? Does anyone know if they are more secure? If so, then perhaps it'd be worth our time to convince some more people to switch for the sake of security.
  gmail is more secure, it actually requires SSL to connect to the IMAP & POP servers (Yahoo! doesn't support SSL on its IMAP servers).
3. Re:Like Joe Average is going to care... by Anonymous Coward · 2008-09-27 04:01 · Score: 0
  
  Rephrasing what you said for clarity: Since the upstream provider is trusted, people should switch from GMail to Yahoo Mail in order to save on the unnecessary overhead of encryption.
4. Re:Like Joe Average is going to care... by Vladus2000 · 2008-09-27 04:09 · Score: 1
  
  I mean seriously, most sites transmits their passwords in plain text - most people use the same credentials everywhere so whats the big fudging deal? If you can't trust your upstream provider you should be using someone else anyways.
  
  I agree, the average Joe uses their street address, their birthday or their children's names as their password and use it everywhere. You don't have to intercept their password to hack it if you really want to. That being said, because they use the same username/password everywhere, it's probably a good idea to try to convince them not to use something that insecure. Even if they don't care, they probably should.
5. Re:Like Joe Average is going to care... by Anonymous Coward · 2008-09-27 04:14 · Score: 0
  
  Does your local university encrypt their wireless traffic? I know for a fact that mine doesn't, and it's one of the more reputable schools in CS and Engineering. Does your neighbour encrypt their home wireless network using WPA?
  Wireshark works just fine when attached to a promiscuous 802.11a/b/g/n card. Perhaps your upstream provider isn't the only factor you should be considering...
6. Re:Like Joe Average is going to care... by Splab · 2008-09-27 05:14 · Score: 1
  
  Yeah don't get me wrong, I think security is a big issue, but I (we) are not Joe Average.
  I got KDEWallet to store my passwords, use different passwords different places, and if the site is just slightly shady I use different login compared to my default (splab).
  A good example of forcing security (I think) is the way we handle pin codes at work (used for signing in on your phone). Rather than using a 4 digit code we require a 5 digit and suggest they should not use any part of their credit card pin. Now we could ask users to punch in alpha numeric code when logging in (they can chose so), but phones really aren't good for punching in those passwords.
7. Re:Like Joe Average is going to care... by hairyfeet · 2008-09-27 07:29 · Score: 1
  
  That is why I tell my users to use the number on their keyboard,or monitor,etc. That gives them a nice mix of letters and numbers and no dictionary attacks,and if they forget they can flip the keyboard over or look at the back of the monitor. For example,if I used the keyboard I am typing on I would have RT-231-btw,which makes a nice obscure password,but if I needed it I could just flip the keyboard over. Certainly better IMHO than having them use the name of their cat or their b-day.
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
8. Re:Like Joe Average is going to care... by Anonymous Coward · 2008-09-27 09:35 · Score: 0
  
  Right....
  Joe Average probably has a router and its called "linksys" and he wonders why it keeps on getting slower and slower.
  I don't think Joe Average is going to have a secure end to end connection to Yahoo! all the time. Wireless is probably the simplest example where this breaks down, but even with ethernet in say a college campus, its fairly easy to arp poison and do man in the middle. Plaintext is a security risk, there is a reason people don't use telnet anymore.
9. Re:Like Joe Average is going to care... by Splab · 2008-09-28 08:47 · Score: 1
  
  Mix it up with something known, yeah someone knowing the procedure would still be through, but as you said, it beats nothing.
  However, still not a good solution.
10. Re:Like Joe Average is going to care... by hairyfeet · 2008-09-28 09:30 · Score: 1
  
  This is to help with online hackers,NOT the guy in the next cubicle. Because I have found working with SMBs that the guy in the next cubicle can usually go "My PC is acting up and I have to get this mailed. Can I use yours for a sec?" and there you go. But the odds of an online hacker guessing the arcane number+letters+dashes used in your average keyboard or monitor model number is pretty non-existent. And don't forget,we are talking about users that before they talked to me had passwords like "fluffy" and "montana" so you have to admit that something like NSX-1b234-054 is a WHOLE lot better than "fluffy".
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
Uh oh, better tell mom... by Anonymous Coward · 2008-09-27 03:35 · Score: 0

Err, I mean... Gov. Palin.
But no https... by Junta · 2008-09-27 03:42 · Score: 4, Insightful

Look at the fine picture. It's a wireshark trace. The complaint is that it is issuing IMAP traffic without even SSL wrapping it.
Modern practice, virtually all passwords when transmitted on the wire are protected through encryption. Preferably with x509 certificates mitigating the opportunity for man in the middle (in ssh's case, the more manual known_hosts mechanism). There is good reason.
Just because something was done 10 years ago, doesn't mean it was ok. 10 years ago, most desktops ran Windows 98. 10 years ago, Macs didn't implement preemptive multitasking. 10 years ago, some mailers would gleefully execute attachments without any check with the user. 10 years ago, IE would gleefully execute random ActiveX objects on the web.

--
XML is like violence. If it doesn't solve the problem, use more.
1. Re:But no https... by whoever57 · 2008-09-27 03:47 · Score: 3, Insightful
  
  Modern practice, virtually all passwords when transmitted on the wire are protected through encryption
  I don't agree. Maybe for webmail and other web-based authentication schemes, but there are millions of people who use unencrypted POP and whose POP credentials are sent in clear text.
  
  --
  The real "Libtards" are the Libertarians!
2. Re:But no https... by Nutria · 2008-09-27 04:13 · Score: 4, Interesting
  
  but there are millions of people who use unencrypted POP and whose POP credentials are sent in clear text.
  And the vast majority of those packets stay within the ISPs private network. You'd have to be directly sniffing the ISP's network, and who, besides the gov't and that ISP has the wherewithal to accomplish such a task?
  
  --
  "I don't know, therefore Aliens" Wafflebox1
3. Re:But no https... by kesuki · 2008-09-27 04:38 · Score: 4, Interesting
  
  "and who, besides the gov't and that ISP has the wherewithal to accomplish such a task?"
  a man by the name of dan egerstad http://it.slashdot.org/article.pl?sid=07/09/11/1730258
  apparently, because pop transactions are in the clear, sophisticated government users have used the onion router network to encrypt the traffic and allow remote pop logins.
  all you need is to get wireshark, and a nice high speed connection and start running yourself an onion router, it's amazing what you'll get...
  as far as the government being able to read e-mail, well, that doesn't sit well with me either. since when can we trust 'big brother' the government? the same government that wasted billions of dollars on haliburton no bid contracts that resulted in substandard work when anything was done at all?
  
  --
  https://www.gnu.org/philosophy/free-sw.html
4. Re:But no https... by Nutria · 2008-09-27 04:49 · Score: 1
  
  What does allow remote pop logins have to do with (quoting from my original message) "packets stay within the ISPs private network"?
  
  --
  "I don't know, therefore Aliens" Wafflebox1
5. Re:But no https... by whoever57 · 2008-09-27 05:17 · Score: 3, Informative
  
  And the vast majority of those packets stay within the ISPs private network. You'd have to be directly sniffing the ISP's network
  How is this different to sniffing passwords from unencrypted http-based logins?
  
  Just go to your local coffee shop with open wireless and sniff the wireless there.
  
  --
  The real "Libtards" are the Libertarians!
6. Re:But no https... by Nutria · 2008-09-27 05:56 · Score: 1
  
  Just go to your local coffee shop with open wireless and sniff the wireless there.
  But that's not within the ISP's network.
  
  --
  "I don't know, therefore Aliens" Wafflebox1
7. Re:But no https... by whoever57 · 2008-09-27 06:26 · Score: 1
  
  Just go to your local coffee shop with open wireless and sniff the wireless there.
  
  But that's not within the ISP's network.
  Exactly. You were the one who made the original assertion about POP packets remaining within the ISP's "private" network. I pointed out that many people use unencrypted wireless sessions at public locations, which tends to refute your point.
  
  So, what's your point?
  
  --
  The real "Libtards" are the Libertarians!
8. Re:But no https... by Nutria · 2008-09-27 07:45 · Score: 1
  
  made the original assertion about POP packets
  I said "the vast majority of those packets stay within the ISPs private network", because I acknowledge that you can usually access pop servers from outside the private network. (That's how I continued to read my email while evacuated for Katrina.)
  
  --
  "I don't know, therefore Aliens" Wafflebox1
9. Re:But no https... by whoever57 · 2008-09-27 08:31 · Score: 1
  
  I said "the vast majority of those packets stay within the ISPs private network", because I acknowledge that you can usually access pop servers from outside the private network. (That's how I continued to read my email while evacuated for Katrina.)
  And no-one uses POP servers other than their ISP's right? Oh, but you can also access Yahoo mail through unencrypted POP, and there are perhaps hundreds of thousands of businesses whose users check their email over unencrypted POP.
  So, we have:
  * Users POPing their email from their normal ISP over unencrypted WIFI connections
  * Users POP-ing their non-ISP hosted email over unencrypted sessions.
  I suspect that the proportion of POP email that travel ONLY over a single ISP's private network is far lower than you think.
  
  --
  The real "Libtards" are the Libertarians!
10. Re:But no https... by MoogMan · 2008-09-27 08:39 · Score: 3, Insightful
  
  Modern practice, virtually all passwords when transmitted on the wire are protected through encryption
  Considering a *lot* of users use passwords primarily on the Internet, this statement is incorrect.
  Any website that requires you to log in, and does not use https/ssl or HTTP digest access authentication will be sniffable.
  AFAIK, hotmail, yahoo and gmail, amazon, ebay all allow users to log in via http - that's probably 90%+ of your users vulnerable right there.
  Just to put this in perspective - this may be a backwards step for Yahoo Mail users per. se. but isn't really much worse than your average user logging into a bunch of other websites with the same password anyway.
11. Re:But no https... by caluml · 2008-09-27 11:32 · Score: 1
  
  Look at the fine picture. It's a wireshark trace. The complaint is that it is issuing IMAP traffic without even SSL wrapping it. I was trying to move someone from Outlook Express to Thunderbird, but she'd forgotten her IMAP password (auto-saved). Had a dig around in the registry, found the entry, but couldn't work out how to recover it (in about 5 mins of trying). So just installed Wireshark, and sniffed her packets while she logged into her mail from OE. (Luckily, her setup wasn't using SSL.)
  
  --
  Get your own free personal location tracker
12. Re:But no https... by Dan541 · 2008-09-27 12:06 · Score: 1
  
  Most mail providers don't support SSL for POP or IMAP, in fact I've never seen secure pop or imap.
  
  --
  An SQL query goes to a bar, walks up to a table and asks, "Mind if I join you?"
13. Re:But no https... by kesuki · 2008-09-27 12:16 · Score: 1
  
  if the government cant prevent users from doing remote logins using TOR network technology, then why do you assume anyone is going to prevent power users from finding ways to get remote e-mail access that is by policy denied? that was my point.
  
  --
  https://www.gnu.org/philosophy/free-sw.html
14. Re:But no https... by Anonymous Coward · 2008-09-27 13:39 · Score: 0
  
  gmail is accessible using imaps (port 993, SSL on)
15. Re:But no https... by Cochonou · 2008-09-27 19:34 · Score: 1
  
  Same for fastmail.fm.
16. Re:But no https... by KGIII · 2008-09-27 21:54 · Score: 1
  
  Pick better companies. We're a very small web hosting company, for instance, and we provide secure POP3 and IMAP.
  
  --
  "So long and thanks for all the fish."
Not significant? by OutlawDrake · 2008-09-27 03:50 · Score: 1

I haven't looked carefully at the rest of the platforms that Yahoo provides, but I believe that at least Yahoo Messenger (when connecting with Pidgin anyway) also sends the same auth credentials in plain text. Not that the overall problem is insignificant (*any* time auth credentials are sent, in any context, they should be encrypted), but worrying only about IMAP is naive in this case. (What about POP? What about all the Y! web platforms?)
1. Re:Not significant? by holdenkarau · 2008-09-27 03:55 · Score: 2, Insightful
  
  I haven't looked carefully at the rest of the platforms that Yahoo provides, but I believe that at least Yahoo Messenger (when connecting with Pidgin anyway) also sends the same auth credentials in plain text. Not that the overall problem is insignificant (*any* time auth credentials are sent, in any context, they should be encrypted), but worrying only about IMAP is naive in this case. (What about POP? What about all the Y! web platforms?)
  Yahoo! POP is SSL encrypted (and only available to pro acount users in any case). Part of the worry for me is Yahoo! doesn't disclose that the connection is unencrypted in the default program, and there is no way to get it to use encryption (the server doesn't even support encryption). As far as other Yahoo! properties I have no idea.
Switch to web interface THEN change the password by Scott+Kevill · 2008-09-27 03:58 · Score: 3, Informative

After all, you've just told them the app uses plain text, then you tell them to use the app to change the password. :)
That said, the friends and relatives probably use machines running key loggers anyway.

--
GameRanger - multiplayer gaming service for PC and Mac games
Was I the only one... by Anonymous Coward · 2008-09-27 04:00 · Score: 0

Was I the only one to read the first sentence of the summary as:

Yahoo!'s acquisition of open source mail client Zimbra has apparently brought some teabagging to the mail team.
Oooh, 'ello sailor!
Re:Switch to web interface THEN change the passwor by albertost · 2008-09-27 04:08 · Score: 1

o_O I guess he meant to change the password using the web interface
This app... by Anonymous Coward · 2008-09-27 04:14 · Score: 0

... must have been written by someone called Napoleon!
It's a tricky one by David+Gerard · 2008-09-27 04:41 · Score: 1

Google vs Yahoo. Evil ... or stupid?

--
http://rocknerd.co.uk
You get what you pay for. by Anonymous Coward · 2008-09-27 04:58 · Score: 1, Interesting

I have never liked the concept of free E-mail. Like Robert Heinlein said, TANSTAAFL.
This is why I recommend people use paid ISPs for their real E-mail accounts, and perhaps use Yahoo, Google, or Rocketmail for registering on spammy websites where they want an E-mail address so they can make their advertisers happy.
I will sound like a MS shill here, but this something I like about MS Exchange. The POP3, IMAP, and OWA services can all be configured to be SSL/TLS only. I know that with an Exchange hosted provider, I will get a certain service level of a known, certifed, and secure mail server, and most Exchange providers also offer a high uptime in their SLA.
To boot, a dedicated ISP's bread and butter is ensuring the security of their customer's E-mail, so they tend to be far more proactive in general in ensuring that mail stays put.
1. Re:You get what you pay for. by Super_Z · 2008-09-27 05:20 · Score: 0
  
  I will sound like a MS shill here, but this something I like about MS Exchange. The POP3, IMAP, and OWA services can all be configured to be SSL/TLS only.
  So can pretty much every other contemporary email product. You are an MS shill.
2. Re:You get what you pay for. by Anonymous Coward · 2008-09-27 06:43 · Score: 0
  
  Umm... go with a real provider, like me.com. like all other Apple products, its arguably 100% secure against any type of attacks.
  Had Palin had her mail with me.com, her and McCain would be 10 more points ahead in the polls.
3. Re:You get what you pay for. by avandesande · 2008-09-27 08:12 · Score: 1
  
  Nice you have an opinion, now where is your analysis? I like having the same email after 8 years and changing 5 different isps and 4 different jobs. The spam filtering works reasonably well and I have access to old emails from the entire period. I can get to my email any time/any where. I can count on one hand the number of times the service wasn't available.
  I like yahoo mail.
  
  --
  love is just extroverted narcissism
4. Re:You get what you pay for. by Anonymous Coward · 2008-09-27 08:41 · Score: 0
  
  As I noted below, Zimbra's mail server in fact requires TLS for both POP and IMAP, and not only turns that off by default, but has a second switch, also off by default, that allows POP and IMAP *from outside your lan*.
  We're kinda taking Holden around the woodshed on that forum thread; this *really* wasn't Zimbra's fault -- they don't control Yahoomail servers' stupidity...
5. Re:You get what you pay for. by Mr+Z · 2008-09-27 09:31 · Score: 3, Funny
  
  This is why I recommend people use paid ISPs for their real E-mail accounts, and perhaps use Yahoo, Google, or Rocketmail for registering on spammy websites where they want an E-mail address so they can make their advertisers happy.
  When I signed up for DSL service, it was with SBC Yahoo! DSL, you insensitive clod!
  
  --
  Program Intellivision!
6. Re:You get what you pay for. by RiffRafff · 2008-09-27 10:26 · Score: 1
  
  "This is why I recommend people use paid ISPs for their real E-mail accounts, and perhaps use Yahoo, Google, or Rocketmail for registering on spammy websites where they want an E-mail address so they can make their advertisers happy."
  Guess what? More and more "paid ISPs" are cutting costs and decommissioning their mail servers in favor of Google Apps/Gmail. ISP.com, for example, is currently switching their users over.
  
  --
  "I might have made a tactical error in not going to a physician for 20 years." -- Warren Zevon
How about by Provocateur · 2008-09-27 04:59 · Score: 1

time to switch to Linux, go back to the web interface, and change passwords?
Well, desktop Linux has to come one way or another. Haven't you guys heard of guerilla tactics?

--
WARNING: Smartphones have side effects--most of them undocumented.
This will be fixed in the next version. by mkraft · 2008-09-27 06:20 · Score: 4, Informative

According to a post by a Zimbra employee over at their forums. This will be corrected in the next version of Zimbra Desktop.
1. Re:This will be fixed in the next version. by Anonymous Coward · 2008-09-27 07:21 · Score: 0
  
  I'd be more pleased if they notified existing users of the security implications of using the present version rather than just saying "it will be fixed later". Right now everyone using it in a coffee shop or over wifi is spreading the email love a bit more than they probably intended.
2. Re:This will be fixed in the next version. by jra · 2008-09-27 07:23 · Score: 2, Insightful
  
  *What* will be fixed in the next version of Zimbra; the fact that *Yahoo* allows cleartext passwords?
  Cause that's not Zimbra's fault.
  In fact, the *Zimbra* server-side component, while it permits you to allow clear-text POP and IMAP logins, defaults that switch to off.
  What's that tag again? Badsummary?
3. Re:This will be fixed in the next version. by antdude · 2008-09-27 09:41 · Score: 1
  
  Whgen is the next version coming out? Why no patches/hotfixes for the released one?
  
  --
  Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
4. Re:This will be fixed in the next version. by Phroggy · 2008-09-27 13:52 · Score: 1
  
  Whgen is the next version coming out? Why no patches/hotfixes for the released one?
  Usually that's a clear sign that the problem isn't a bug, but a design flaw; they can't just patch it, because that would break things.
  
  --
  $x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
  $x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
Yahoo inbox can be hacked ? by Monkey-some · 2008-09-27 10:29 · Score: 1

I don't have to worry because I didn't used my yahoo mailbox for any official purposes.
ah I shouldn't joke on that.
1. Re:Yahoo inbox can be hacked ? by Dan541 · 2008-09-27 12:22 · Score: 1
  
  The thing about corporate email accounts is that they are setup by the IT department who don't let users use dodgy password recovery systems.
  
  --
  An SQL query goes to a bar, walks up to a table and asks, "Mind if I join you?"
2. Re:Yahoo inbox can be hacked ? by DanJ_UK · 2008-09-27 14:35 · Score: 1
  
  You mean, unofficial purposes? :)
  
  --
  - Dan
Here's a better idea by Master+of+Transhuman · 2008-09-27 11:37 · Score: 1

Don't use Yahoo.
Don't use AOL.
Don't use Microsoft, for God's sakes, or you'll never get your back emails out of it if you decide to move to another service.
Don't even use Gmail (except as a spam trap or for signing up to Web sites, like I do.)
Don't use crap in general.
Get a REAL email account - from your ISP or from your Web hosting provider - that you control, that has security, that is accessible by Web or email client. Then get a decent email client like Thunderbird. It's not rocket science.

--
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
Paging the Alaskan Governor... by sethstorm · 2008-09-27 13:17 · Score: 1

One more reason not to use Yahoo for certain sensitive needs.
(incoming overrated's in 3...2...1...)

--
Twitter supports and protects racists - by smearing their critics with the "Hate Speech" label.
Trusting the Cloud by Michael+Sutton · 2008-09-29 09:01 · Score: 1

http://research.zscaler.com/2008/09/trusting-cloud.html When leveraging cloud based apps, in this case webmail, security is vital not only in the cloud but during transmission to the cloud. While this is often the responsibility of the enterprise itself, here is a situation where Yahoo! was responsible for all components (client and server) and still didn't get it right. Cloud computing will not succeed unless enterprises are able to trust those making online services available to them. Situations such as this, where security was clearly an afterthought, do not help to build the trust required for cloud computing to succeed.