Zimbra Desktop Vulnerable to Man-in-the-Middle Attack

tiffanydanica writes "For all the flack Mozilla gets about its new security warnings for https sites, at least it warns the user when a mismatch occurs. Sadly the new Yahoo! Zimbra Desktop (released in part to fix some security issues), doesn't bother validating the SSL certificate on the other side before sending along the username and password, making it vulnerable to a man-in-the-middle attack. This is certainly a step up from transmitting the information in the clear, since the attacker must switch from being passive to active, but with all of the DNS security problems, it would be fairly trivial for a malicious attacker to grab a large number of Yahoo! accounts (be it for phishing or spaming). Hopefully this issue will get fixed shortly, but for now Yahoo! Zimbra Desktop users may wish to use the webmail interface."

Phorm reads your Email?

[corsec67]

Since BT is giving Phorm a MitM position in their network, does this mean that Phorm would be able to read the email of anyone that uses Yahoo Zimbra, even if they try to use https?

Re:Responsible disclosure?

[Albanach]

"At the time of the writing Yahoo! security has been notified."

I do wonder what route he chose to notify them? Maybe an email to postmaster@... ?

I don't see anything on Zimbra's bugzilla which I'd have thought would be the proper place to make such a report.

Maybe that was too difficult to find, and wouldn't be immediately obvious to other zimbra users. But then there's nothing immediately obvious on the official zimbra forums either.