Security Flaw In Yahoo Mail Exposes Plaintext Authentication Info

holdenkarau writes "Yahoo!'s acquisition of open source mail client Zimbra has apparently brought some baggage to the mail team. The new Yahoo! desktop program transmits the authentication information in plain text. The flaw was discovered during a Yahoo 'hacku' Day at the University of Waterloo (the only Canadian school part of the trip). Compared to the recent news about Gmail exposing the names associated with accounts, this seems downright scary. So, if you have friends or relatives who might have installed Yahoo! desktop and value their e-mail accounts, now would be a good time to get them to change the password and switch back to the web interface."

Like Joe Average is going to care...

[Splab]

I mean seriously, most sites transmits their passwords in plain text - most people use the same credentials everywhere so whats the big fudging deal?

If you can't trust your upstream provider you should be using someone else anyways.

Re:Overreaction...

[The+Gaytriot]

Sure it might be considered paranoid, but then again you don't put locks on your door because you're constantly expecting strangers to get in, you put them in just in case.
This security flaw makes it a piece of cake to get someone's login info if you want it. Then again; most website logins and all kinds of other things are probably the same way, so this is just the status quo.

But no https...

[Junta]

Look at the fine picture. It's a wireshark trace. The complaint is that it is issuing IMAP traffic without even SSL wrapping it.

Modern practice, virtually all passwords when transmitted on the wire are protected through encryption. Preferably with x509 certificates mitigating the opportunity for man in the middle (in ssh's case, the more manual known_hosts mechanism). There is good reason.

Just because something was done 10 years ago, doesn't mean it was ok. 10 years ago, most desktops ran Windows 98. 10 years ago, Macs didn't implement preemptive multitasking. 10 years ago, some mailers would gleefully execute attachments without any check with the user. 10 years ago, IE would gleefully execute random ActiveX objects on the web.

Re:But no https...

[Nutria]

but there are millions of people who use unencrypted POP and whose POP credentials are sent in clear text.

And the vast majority of those packets stay within the ISPs private network. You'd have to be directly sniffing the ISP's network, and who, besides the gov't and that ISP has the wherewithal to accomplish such a task?

Re:But no https...

[kesuki]

"and who, besides the gov't and that ISP has the wherewithal to accomplish such a task?"

a man by the name of dan egerstad http://it.slashdot.org/article.pl?sid=07/09/11/1730258

apparently, because pop transactions are in the clear, sophisticated government users have used the onion router network to encrypt the traffic and allow remote pop logins.

all you need is to get wireshark, and a nice high speed connection and start running yourself an onion router, it's amazing what you'll get...

as far as the government being able to read e-mail, well, that doesn't sit well with me either. since when can we trust 'big brother' the government? the same government that wasted billions of dollars on haliburton no bid contracts that resulted in substandard work when anything was done at all?

This will be fixed in the next version.

[mkraft]

According to a post by a Zimbra employee over at their forums. This will be corrected in the next version of Zimbra Desktop.