Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Flaw In Yahoo Mail Exposes Plaintext Authentication Info

Posted by Soulskill on from the who-needs-encryption-anyway dept.

holdenkarau writes "Yahoo!'s acquisition of open source mail client Zimbra has apparently brought some baggage to the mail team. The new Yahoo! desktop program transmits the authentication information in plain text. The flaw was discovered during a Yahoo 'hacku' Day at the University of Waterloo (the only Canadian school part of the trip). Compared to the recent news about Gmail exposing the names associated with accounts, this seems downright scary. So, if you have friends or relatives who might have installed Yahoo! desktop and value their e-mail accounts, now would be a good time to get them to change the password and switch back to the web interface."

5 of 66 comments (clear)

  1. Like Joe Average is going to care... by Splab · · Score: 4, Insightful

    I mean seriously, most sites transmits their passwords in plain text - most people use the same credentials everywhere so whats the big fudging deal?

    If you can't trust your upstream provider you should be using someone else anyways.

  2. But no https... by Junta · · Score: 4, Insightful

    Look at the fine picture. It's a wireshark trace. The complaint is that it is issuing IMAP traffic without even SSL wrapping it.

    Modern practice, virtually all passwords when transmitted on the wire are protected through encryption. Preferably with x509 certificates mitigating the opportunity for man in the middle (in ssh's case, the more manual known_hosts mechanism). There is good reason.

    Just because something was done 10 years ago, doesn't mean it was ok. 10 years ago, most desktops ran Windows 98. 10 years ago, Macs didn't implement preemptive multitasking. 10 years ago, some mailers would gleefully execute attachments without any check with the user. 10 years ago, IE would gleefully execute random ActiveX objects on the web.

    --
    XML is like violence. If it doesn't solve the problem, use more.
    1. Re:But no https... by whoever57 · · Score: 3, Insightful

      Modern practice, virtually all passwords when transmitted on the wire are protected through encryption

      I don't agree. Maybe for webmail and other web-based authentication schemes, but there are millions of people who use unencrypted POP and whose POP credentials are sent in clear text.

      --
      The real "Libtards" are the Libertarians!
    2. Re:But no https... by MoogMan · · Score: 3, Insightful

      Modern practice, virtually all passwords when transmitted on the wire are protected through encryption

      Considering a *lot* of users use passwords primarily on the Internet, this statement is incorrect.

      Any website that requires you to log in, and does not use https/ssl or HTTP digest access authentication will be sniffable.

      AFAIK, hotmail, yahoo and gmail, amazon, ebay all allow users to log in via http - that's probably 90%+ of your users vulnerable right there.

      Just to put this in perspective - this may be a backwards step for Yahoo Mail users per. se. but isn't really much worse than your average user logging into a bunch of other websites with the same password anyway.

  3. Re:Overreaction... by Dhalka226 · · Score: 3, Insightful

    Sure it might be considered paranoid, but then again you don't put locks on your door because you're constantly expecting strangers to get in, you put them in just in case.

    No, you put them in to discourage the thief from even trying. Breaking most door locks isn't a particularly hard task, but it is noisy and it's fair more complicated than simply jumping in the open window next door.

    That said, a door-locks-to-encryption analogy suffers. In order to tell whether or not you're using encryption, they basically have to have already compromised your system or connection in such a way that they can already see your packets. Maybe they move away at that point, but you've already got some pretty serious problems.