Slashdot Mirror
New Nokia Smartphones Leak E-mail Passwords
Noksu writes "Despite of the recent plunge in Nokia's profits, the company is doing well in the surveillance business. The infamous 'Lex Nokia' got ratified in Finland and the company has launched a massive Nokoscope research project for data gathering. In the meantime Nokia's new smartphones forward e-mail account credentials to a remote server. Surprisingly enough, this is done in HTTP request headers. The company has been informed, but there has not been an official statement yet. Time for class action suit in the US?"
Only "thugs" use Nokia.
Don't use 'GET /', 'HTTP/1.0', or 'user-agent' as your password, and you will be much less likely to have your password submitted automatically by an HTTP client program.
Nokias response
What?
What the fuck is "in the us"?
Oh, you mean the USA. Stop calling yourselves the "US", it's "USA".
Welcome to the world of push email? How else would you like us to do it, buddy?
This isn't really an issue, is it?
Yes, it sends credentials through to Nokia, but it does _not_ use an un-encrypted HTTP connection to do it. It uses SSL/HTTPS. It's also _not_ done in HTTP Header messages, it's going through in the GET request.
*shrug*
Ed R.Zahurak
You know, oblivion keeps looking better every day.
Subby here: To clarify some things: this issue is on Nokia Messaging client. The only device (AFAIK) that currently ships with Nokia Messaging is E75. The older models use the old email/messaging software, that has nothing to do with Nokia Messaging service.
I haven't checked how Nokia markets the Nokia Messaging service/client nowadays, but originally it was marketed as a service (the email proxy) and accompanying client, and you couldn't even use the client without the proxy service.
Apparently this has changed now when E75 ships without the original standalone email client.
So, E71 (or any other Nokia phone except E75) does not have this issue unless you have downloaded the separate Nokia Messaging software and use that for reading mail.
The Editing Nazi Demi-Gods are not happy.
Despite the recent plunge ...
In the meantime, Nokia's ...
Surprisingly enough, this is being done in the HTTP request headers.
Time for a class action suit in the US?
Fixed that for you.
Good thing my email password is ";drop database;"
There are no atheists when recovering from tape backup.
seriously, such flow would have been quickly spotted by computer geeks if the software source were available. And it would have been corrected by the community if it had been open source.
they're not very smart phones.
I think (but I could be wrong) that AT&T supports email on some (or all) mobile devices where there is no push server involved. AT&T reads the email and presents it to the user through a browser.
RTFBP again. He's not using any proxy server or messaging depot--he's going to connect directly to his company's mail server, and not have Nokia cache the email for him.
Why does Nokia need a copy of his credentials in that case?
(They don't.)
dito
I'm not surprised that the amateurs at Nokia would do this. The S60 platform on the whole seems like a throwback to the early 2000's, back when smartphone users were a marginalized bunch who would put up with niggling annoyances as long as they could receive email on their devices. If the iPhone OS is pretty much OS X on a phone, then S60 is like running Windows 98 on your phone.
I'm pretty much convinced that anyone using a Nokia smartphone right now is a masochist. My experience with an E71 has been horrendous. The built-in email client cannot handle HTML and even though there's IMAP support, you can't move messages between folders. You can't even save sent messages to your own IMAP folder, so they're forever stuck in your phone's own "Sent" folder. You can either pull messages at varying time intervals, or you can use IMAP IDLE without message retrieval, but inexplicably you can't have both at the same time. Even if you use IMAP IDLE, only changes to the inbox are monitored. Why does anyone even use the built-in client? Well, only Nokia's own applications are given the ability to present notifications on the home screen.
Almost everybody who uses their E71 for serious emailing chooses to buy Profimail for $30, even though it also has quite a few missing features. It can't detect the phone's volume settings, so if you're in a meeting you'll have to silence both your phone and Profimail. The vibration alert doesn't work on my phone.
The new "Mail by Nokia" system is hilariously crappy. They want you to give them the logins to your mail accounts, then they retrieve your email. Why would anyone do this? The only benefits, as far as I can tell, are push notifications and a slightly less ugly interface that completely ignores your own UI settings. The (very beta) web interface for setting up your Mail by Nokia account is incredibly limited. I still can't figure out how I managed to set up my FastMail account to work with them. After using Nokia Mail for a day I decided that these amateurs are probably not going to be storing my information in any secure manner, so I disabled my Nokia account and changed all of my email passwords.
The whole platform is locked down because applications need to be signed. The Symbian Foundation, in the interest of locking down your phone past the point of usability, uses an insanely complex system to approve applications before signing them. The entry cost is enormous, on the order of thousands of dollars, which effectively shuts out most hobbyists from producing signed applications. Instead, they release unsigned applications, and all the users have to allow their phones to accept them. So what was the point of locking down the platform in the first place?
Maybe I'm spoiled from having used an iPod touch. The App Store is amazingly simple and convenient, and the community has a critical mass of users and developers. For most common uses, I can assume that there's an app out there that can do what I want. Not so for a Nokia phone.
As commenters have already pointed out on those blog posts, push IMAP will require that Nokia stores your credentials on servers that check for your new email as a proxy.
This request is https. If, during setup, you asked for push IMAP, or any number of other imaginable features for your mail account, sending your credentials to a Nokia or wireless carrier server will be necessary.
Actually... if it's https... how the hell can this guy tell what the URL request is? Has he patched their email client to snitch?
There are no trails. There are no trees out here.
Iphone doesn't do this
They're sending the email address, username and password to Nokia to do determine right settings (servername etc) for the email account. I suppose they have some sort of database of email settings for common email providers. Of course, we all know that they have to have the username and password, the domain part of the email address wouldn't be enough. I don't feel like a proud Finn right now. I'm also not very happy to deal with the issue, since I do it-support to a company that recently got few of these new fancy smart phones and is using them for email too. No use to set up SSL both ways, thanks to backdoors in the device.
Now that I know it's only Nokia, I don't have to throw away my perfectly good, still functioning, non-leaking, 6 YEAR old SAMSUNG cellphone.
I was getting worried.
Even Microsoft hasn't sunk to that level of incompetence and blatant violation of user privacy. Transmitting the user's password to a third party server in plain text over an unencrypted link is inexcusable.
I have several Nokia phones; obviously, I need to get rid of them. If they make such a fundamental mistake, Nokia obviously cannot be trusted with anything.
Fortunately, with Android, we now have a reasonable alternative.
A class-action lawsuit? Seriously?
Americans are crazy. One guy with a blog has discovered a security flaw. There has been no exploit for this flaw. Nobody is complaining that they've lost anything. What's more, this "issue" can be fixed with a firmware update. But no! Our sense of entitlement tells us that this is another opportunity to take a bunch of money out of the pockets of an eeeeeeeeeevvil corporation ... and put it into the pockets of a bunch of lawyers. Awesome.
I love the part where Nokia hasn't even issued a response yet, and we interpret that as more reason to sue. Awesome.
Every other post on Slashdot seems to be decrying how messed-up the system is in this country, and then the next post comes along demanding that we shovel more coal into the fires. Get your heads straight, please.
Breakfast served all day!
This is the price you pay for "push" e-mail on most mobile devices.
Instead of having the phone constantly connected, polling and costing money in data bills, the network does it at their end, and can then notify the phone using some GSM jiggerypokery.
FUD.
You feel sleepy. Close your eyes. The opinions stated above are yours. You cannot imagine why you ever felt otherwise.
Here's to sensationalism and mis-representation.
Nokoscope was not started by Nokia, but a one or two developers who happen to work for Nokia. It is not an official Nokia project, nor will it ever be, nor is it 'massive'. It will never be installed by default on any Nokia device.
-- "Perceptions create reality. By changing your perceptions you change your reality."
Well, that's the reason many people don't buy Blackberry phones. Nokia used to be different. But apparently Nokia phones are off the table as well now for anybody who cares about security.
And why does it matter? Because once the password is sent in plain text anywhere, you have no control over it. It likely gets stored in Nokias server logs and on their backup tapes. Nokia employees can access it. Police can subpoena it. Intruders can sniff it. Etc.
what makes you think they are using apache?