Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Nokia Smartphones Leak E-mail Passwords

Posted by ScuttleMonkey on from the lazy-engineers dept.

Noksu writes "Despite of the recent plunge in Nokia's profits, the company is doing well in the surveillance business. The infamous 'Lex Nokia' got ratified in Finland and the company has launched a massive Nokoscope research project for data gathering. In the meantime Nokia's new smartphones forward e-mail account credentials to a remote server. Surprisingly enough, this is done in HTTP request headers. The company has been informed, but there has not been an official statement yet. Time for class action suit in the US?"

7 of 94 comments (clear)

  1. Re:Non-issue? by Nos. · · Score: 5, Insightful

    I guess Nokia getting your email account credentials isn't an issue for you.

  2. Re:Non-issue? by InsertWittyNameHere · · Score: 5, Insightful

    If you setup an email on your Blackberry with BIS (not BES) then RIM has your credentials.

    Why is it an issue now with only Nokia?

  3. Re:Solution: by tritonman · · Score: 4, Insightful

    After reading the article, it doesn't seem that it uses the HTTP headers, it appears to use actual URL parameters, which is probably 100x worse. Either way, if it sends plain text passwords, that's just idiotic.

  4. Re:More amateurish BS from Nokia by Anonymusing · · Score: 2, Insightful

    The new "Mail by Nokia" system is hilariously crappy. They want you to give them the logins to your mail accounts, then they retrieve your email. Why would anyone do this?

    Probably for the same reason that people let Gmail do this.

    --
    Liberal? Conservative? Compare perspectives at Left-Right
  5. Re:Solution: by janeuner · · Score: 3, Insightful

    In the clear? No.

    In apache access logs? muahahah....

  6. Re:How else to do push email? by godel_56 · · Score: 2, Insightful

    This request is https. If, during setup, you asked for push IMAP, or any number of other imaginable features for your mail account, sending your credentials to a Nokia or wireless carrier server will be necessary.

    Not only have you not RTFA but you haven't bothered to read the previous Slashdot comments. He is NOT using push email and he intercepted the communications on his own network using Webscarab and Wireshark. Nokia are only providing the comms terminal and have neither the need or the right to know his password or account details.

  7. Re:An issue. by Culture20 · · Score: 4, Insightful

    it is still not such a big deal.

    Not a big deal to have your credentials sent to a third party? What if Nokia's wizard used a Finnish government server instead?
    What if a Chinese-made phone was sending username/password to a Chinese government server?
    What if Antti Järjestelmävalvojanen, a (fictitious) Nokia network admin, starts storing them on his thumb drive?