Slashdot Mirror
Security Flaw In Yahoo Mail Exposes Plaintext Authentication Info
holdenkarau writes "Yahoo!'s acquisition of open source mail client Zimbra has apparently brought some baggage to the mail team. The new Yahoo! desktop program transmits the authentication information in plain text. The flaw was discovered during a Yahoo 'hacku' Day at the University of Waterloo (the only Canadian school part of the trip). Compared to the recent news about Gmail exposing the names associated with accounts, this seems downright scary. So, if you have friends or relatives who might have installed Yahoo! desktop and value their e-mail accounts, now would be a good time to get them to change the password and switch back to the web interface."
I mean seriously, most sites transmits their passwords in plain text - most people use the same credentials everywhere so whats the big fudging deal?
If you can't trust your upstream provider you should be using someone else anyways.
Sure it might be considered paranoid, but then again you don't put locks on your door because you're constantly expecting strangers to get in, you put them in just in case.
This security flaw makes it a piece of cake to get someone's login info if you want it. Then again; most website logins and all kinds of other things are probably the same way, so this is just the status quo.
Srsly u guys. U guys, srsly.
Look at the fine picture. It's a wireshark trace. The complaint is that it is issuing IMAP traffic without even SSL wrapping it.
Modern practice, virtually all passwords when transmitted on the wire are protected through encryption. Preferably with x509 certificates mitigating the opportunity for man in the middle (in ssh's case, the more manual known_hosts mechanism). There is good reason.
Just because something was done 10 years ago, doesn't mean it was ok. 10 years ago, most desktops ran Windows 98. 10 years ago, Macs didn't implement preemptive multitasking. 10 years ago, some mailers would gleefully execute attachments without any check with the user. 10 years ago, IE would gleefully execute random ActiveX objects on the web.
XML is like violence. If it doesn't solve the problem, use more.
No, you put them in to discourage the thief from even trying. Breaking most door locks isn't a particularly hard task, but it is noisy and it's fair more complicated than simply jumping in the open window next door.
That said, a door-locks-to-encryption analogy suffers. In order to tell whether or not you're using encryption, they basically have to have already compromised your system or connection in such a way that they can already see your packets. Maybe they move away at that point, but you've already got some pretty serious problems.
I haven't looked carefully at the rest of the platforms that Yahoo provides, but I believe that at least Yahoo Messenger (when connecting with Pidgin anyway) also sends the same auth credentials in plain text. Not that the overall problem is insignificant (*any* time auth credentials are sent, in any context, they should be encrypted), but worrying only about IMAP is naive in this case. (What about POP? What about all the Y! web platforms?)
Yahoo! POP is SSL encrypted (and only available to pro acount users in any case). Part of the worry for me is Yahoo! doesn't disclose that the connection is unencrypted in the default program, and there is no way to get it to use encryption (the server doesn't even support encryption). As far as other Yahoo! properties I have no idea.
After all, you've just told them the app uses plain text, then you tell them to use the app to change the password. :)
That said, the friends and relatives probably use machines running key loggers anyway.
GameRanger - multiplayer gaming service for PC and Mac games
Maybe they move away at that point, but you've already got some pretty serious problems.
Yes, and if you're using plain text password transmission, game over.
The door lock to security analogy of this goes: When the thief twists your door knob to see if it's locked, if you didn't lock it, game over. From the street or some distant spot on the network, everything looks the same. It's ONLY when you attempt to open the door or look at the packets that you find out whether the locks are in use.
Getting to the point that they can see your packets (for many hackers) is as easy as walking up to your front door. On the Internet, it's as easy to walk up to your front door as it is to walk up to the front door of someone in another country. In fact, some hackers walk up to a LOT of front doors to find one that is not locked.
The analogy still works. Those serious problems that you are talking about have always been there. Every cable subscriber in the USA probably has 14 people looking at their front door to see if it's locked. Remember, hackers are not all script kiddies. It only takes one trojan to sit there and monitor the whole neighborhood looking for somewhere else to live and scoop passwords. Aunt Ethel on the corner doesn't know much about computer security, so her pc is the one monitoring your packets. See how this goes?
In this case, you do lock the doors because you are ALWAYS expecting people to try to get in. period. that's juts how it is.
Support NYCountryLawyer RIAA vs People
More to the point, if you are using one of these free ad ageny supplied services you surely are not using it for anything important or sensitive anyway.
Are you?
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
According to a post by a Zimbra employee over at their forums. This will be corrected in the next version of Zimbra Desktop.
More to the point, if you are using one of these free ad ageny supplied services you surely are not using it for anything important or sensitive anyway.
Are you?
You give the general pubic to much credit or are you joking?
When I signed up for DSL service, it was with SBC Yahoo! DSL, you insensitive clod!
Program Intellivision!