Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Flaw In Yahoo Mail Exposes Plaintext Authentication Info

Posted by Soulskill on from the who-needs-encryption-anyway dept.

holdenkarau writes "Yahoo!'s acquisition of open source mail client Zimbra has apparently brought some baggage to the mail team. The new Yahoo! desktop program transmits the authentication information in plain text. The flaw was discovered during a Yahoo 'hacku' Day at the University of Waterloo (the only Canadian school part of the trip). Compared to the recent news about Gmail exposing the names associated with accounts, this seems downright scary. So, if you have friends or relatives who might have installed Yahoo! desktop and value their e-mail accounts, now would be a good time to get them to change the password and switch back to the web interface."

5 of 66 comments (clear)

  1. Re:Like Joe Average is going to care... by holdenkarau · · Score: 3, Informative

    I guess the question to ask then, is how about GMail? Does anyone know if they are more secure? If so, then perhaps it'd be worth our time to convince some more people to switch for the sake of security.

    gmail is more secure, it actually requires SSL to connect to the IMAP & POP servers (Yahoo! doesn't support SSL on its IMAP servers).

  2. Switch to web interface THEN change the password by Scott+Kevill · · Score: 3, Informative

    After all, you've just told them the app uses plain text, then you tell them to use the app to change the password. :)

    That said, the friends and relatives probably use machines running key loggers anyway.

    --
    GameRanger - multiplayer gaming service for PC and Mac games
  3. Re:Overreaction... by zappepcs · · Score: 3, Informative

    Maybe they move away at that point, but you've already got some pretty serious problems.

    Yes, and if you're using plain text password transmission, game over.

    The door lock to security analogy of this goes: When the thief twists your door knob to see if it's locked, if you didn't lock it, game over. From the street or some distant spot on the network, everything looks the same. It's ONLY when you attempt to open the door or look at the packets that you find out whether the locks are in use.

    Getting to the point that they can see your packets (for many hackers) is as easy as walking up to your front door. On the Internet, it's as easy to walk up to your front door as it is to walk up to the front door of someone in another country. In fact, some hackers walk up to a LOT of front doors to find one that is not locked.

    The analogy still works. Those serious problems that you are talking about have always been there. Every cable subscriber in the USA probably has 14 people looking at their front door to see if it's locked. Remember, hackers are not all script kiddies. It only takes one trojan to sit there and monitor the whole neighborhood looking for somewhere else to live and scoop passwords. Aunt Ethel on the corner doesn't know much about computer security, so her pc is the one monitoring your packets. See how this goes?

    In this case, you do lock the doors because you are ALWAYS expecting people to try to get in. period. that's juts how it is.

    --
    Support NYCountryLawyer RIAA vs People
  4. Re:But no https... by whoever57 · · Score: 3, Informative

    And the vast majority of those packets stay within the ISPs private network. You'd have to be directly sniffing the ISP's network

    How is this different to sniffing passwords from unencrypted http-based logins?

    Just go to your local coffee shop with open wireless and sniff the wireless there.

    --
    The real "Libtards" are the Libertarians!
  5. This will be fixed in the next version. by mkraft · · Score: 4, Informative

    According to a post by a Zimbra employee over at their forums. This will be corrected in the next version of Zimbra Desktop.