Security Flaw In Yahoo Mail Exposes Plaintext Authentication Info

holdenkarau writes "Yahoo!'s acquisition of open source mail client Zimbra has apparently brought some baggage to the mail team. The new Yahoo! desktop program transmits the authentication information in plain text. The flaw was discovered during a Yahoo 'hacku' Day at the University of Waterloo (the only Canadian school part of the trip). Compared to the recent news about Gmail exposing the names associated with accounts, this seems downright scary. So, if you have friends or relatives who might have installed Yahoo! desktop and value their e-mail accounts, now would be a good time to get them to change the password and switch back to the web interface."

Like Joe Average is going to care...

[Splab]

I mean seriously, most sites transmits their passwords in plain text - most people use the same credentials everywhere so whats the big fudging deal?

If you can't trust your upstream provider you should be using someone else anyways.

But no https...

[Junta]

Look at the fine picture. It's a wireshark trace. The complaint is that it is issuing IMAP traffic without even SSL wrapping it.

Modern practice, virtually all passwords when transmitted on the wire are protected through encryption. Preferably with x509 certificates mitigating the opportunity for man in the middle (in ssh's case, the more manual known_hosts mechanism). There is good reason.

Just because something was done 10 years ago, doesn't mean it was ok. 10 years ago, most desktops ran Windows 98. 10 years ago, Macs didn't implement preemptive multitasking. 10 years ago, some mailers would gleefully execute attachments without any check with the user. 10 years ago, IE would gleefully execute random ActiveX objects on the web.