Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Nokia Smartphones Leak E-mail Passwords

Posted by ScuttleMonkey on from the lazy-engineers dept.

Noksu writes "Despite of the recent plunge in Nokia's profits, the company is doing well in the surveillance business. The infamous 'Lex Nokia' got ratified in Finland and the company has launched a massive Nokoscope research project for data gathering. In the meantime Nokia's new smartphones forward e-mail account credentials to a remote server. Surprisingly enough, this is done in HTTP request headers. The company has been informed, but there has not been an official statement yet. Time for class action suit in the US?"

29 of 94 comments (clear)

  1. Solution: by forkazoo · · Score: 4, Funny

    Don't use 'GET /', 'HTTP/1.0', or 'user-agent' as your password, and you will be much less likely to have your password submitted automatically by an HTTP client program.

    1. Re:Solution: by 0100010001010011 · · Score: 5, Informative

      Hell, what if you use a ?, & or a # in your password? Something tells me they probably didn't do a url encode.

      Although you could have some fun with dumb snoopers out there.

      Just make your password:

      https://ccds.serviceactivation.ext.nokia.com:443/api/v1/rest/?operation=ccds.provider.determineAccount&applicationCode=email&
      address=test.user@mycompany.com&password=topsecret&
      mcc=244&mnc=91&carrier=sonera

      So the request would be:
      https://ccds.serviceactivation.ext.nokia.com:443/api/v1/rest/?operation=ccds.provider.determineAccount&applicationCode=email&
      address=test.user@mycompany.com&password=https://ccds.serviceactivation.ext.nokia.com:443/api/v1/rest/?operation=ccds.provider.determineAccount&applicationCode=email&
      address=test.user@mycompany.com&password=topsecret&
      mcc=244&mnc=91&carrier=sonera&
      mcc=244&mnc=91&carrier=sonera

    2. Re:Solution: by tritonman · · Score: 4, Insightful

      After reading the article, it doesn't seem that it uses the HTTP headers, it appears to use actual URL parameters, which is probably 100x worse. Either way, if it sends plain text passwords, that's just idiotic.

    3. Re:Solution: by janeuner · · Score: 3, Insightful

      In the clear? No.

      In apache access logs? muahahah....

  2. Response from Nokia by GuldKalle · · Score: 5, Interesting

    Nokias response

    --
    What?
  3. Non-issue? by TrebleJunkie · · Score: 3, Informative

    This isn't really an issue, is it?

    Yes, it sends credentials through to Nokia, but it does _not_ use an un-encrypted HTTP connection to do it. It uses SSL/HTTPS. It's also _not_ done in HTTP Header messages, it's going through in the GET request.

    *shrug*

    --

    Ed R.Zahurak

    You know, oblivion keeps looking better every day.

    1. Re:Non-issue? by Nos. · · Score: 5, Insightful

      I guess Nokia getting your email account credentials isn't an issue for you.

    2. Re:Non-issue? by InsertWittyNameHere · · Score: 5, Insightful

      If you setup an email on your Blackberry with BIS (not BES) then RIM has your credentials.

      Why is it an issue now with only Nokia?

    3. Re:Non-issue? by InsertWittyNameHere · · Score: 5, Informative

      Basically their (RIM, etc) server will check for email, download it, compress it, then push it to your device.

      So if you have 10 email accounts rather than your device constantly checking each one, wasting data and battery life, the server does all that work and you get push email functionality.

    4. Re:Non-issue? by Sethb · · Score: 5, Informative

      This is the way BIS works. The reason you get great battery life out of a Blackberry is that RIM's server is hitting your POP/IMAP server and checking for mail, then it just pushes it to your Blackberry as needed. Compared to running a Windows Mobile phone with your IMAP connection being live all day, the battery & traffic savings are enormous. The downside is that you have to share your username & password with RIM, unless you're using BES, which is what enterprises who worry about giving out their passwords do...

      --
      When in danger or in doubt, run in circles, scream and shout. --Robert A. Heinlein
    5. Re:Non-issue? by causality · · Score: 2, Interesting

      If you setup an email on your Blackberry with BIS (not BES) then RIM has your credentials.

      Why is it an issue now with only Nokia?

      That's a good question. I'll give you my best guess at an answer, though a guess is all that it is.

      I should say up front that I don't know very much at all about Blackberries. I will assume that what you said is correct, that a Blackberry with BIS presents the very same privacy issue because it shares username/password credentials with a third party. Thus, the privacy issues posed by predecessors like the Blackberry can be viewed as a mistake or at least as less-than-optimal. If it's a mistake, then there is no good reason why Nokia could not have learned from this previous example and designed their system in such a way that no third parties need to be trusted with confidential information.

      It should be possible to equip the phone with a standard POP3/IMAP e-mail client. Logically, if a phone can have a Web browser it can also have such an e-mail client. Then the login credentials can be stored in the phone itself and the phone can use APOP, TLS, or SSL to communicate securely with the e-mail server. Then Nokia is merely the carrier and has no reason to ever see anyone's login credentials and those credentials are safe(r) from other eavesdroppers because they are not sent as plaintext. If these new Nokia phones could do that, then that would represent an improvement on the earlier example of the Blackberry.

      The thing I don't understand is why anyone would ever design the system in such a way that a third party needs to be trusted with confidential information. It seems unnecessary. What benefit does this provide that absolutely cannot be arranged by an independent e-mail client that stores such information locally on the phone? I suppose that same question can be rephrased as "does server-push provide any benefit that client-pull with a reasonable polling time could not also provide?"

      --
      It is a miracle that curiosity survives formal education. - Einstein
    6. Re:Non-issue? by Binestar · · Score: 2, Interesting

      The thing I don't understand is why anyone would ever design the system in such a way that a third party needs to be trusted with confidential information. It seems unnecessary. What benefit does this provide that absolutely cannot be arranged by an independent e-mail client that stores such information locally on the phone? I suppose that same question can be rephrased as "does server-push provide any benefit that client-pull with a reasonable polling time could not also provide?"

      Battery life. By having the Blackberry server push the email to your blackberry you save the battery time and bandwidth of checking your email every 10-15 minutes.

      If you don't want them to have your password get a BES.

      It starts to become a does $.002 == .002cents question.

      --
      Do you Gentoo!?
    7. Re:Non-issue? by ivucica · · Score: 2, Informative

      IMAP, on a properly written client, in online mode, keeps the connection open and the server notifies the client when new messages arrive.

    8. Re:Non-issue? by digitalchinky · · Score: 4, Informative

      This article is news, you are having comprehension issues. The article writer is not using or wanting a proxy to handle email.

      The short version, since you missed it.

      * Built in mail client set up wizard = spyware (And since there is no other method to create an account, how do you propose one avoid it?)

      When I set up thunderbird to talk to MY imap/pop server, I don't expect it to go off and give my authentication details to Mozilla.
      When I set up my phone in exactly the same way, I don't expect it to hand out my authentication info to Nokia.

      Thunderbird doesn't do this. Nokia does. How is that not news? The system you are talking about is entirely different to the one the author is describing.

    9. Re:Non-issue? by Anonymous Coward · · Score: 4, Interesting

      I know very well how Nokia Messaging works because I use it. This is their new email client that is now being shipped on recent higher-end phone(s), or that can be downloaded/installed on older models. It is made to compete with Blackberry services which work the same way.

      You can complete its setup over the web - you go to http://email.nokia.com/ enter IMAP/POP server name/username/password and add up to 10 accounts to your main Nokia account.

      Alternatively, you can do these steps on the phone itself, which is what the OP described.

      You then run Nokia Messaging on your phone, enter your master credentials and have access to all of your accounts.

      This is how this service is designed. You may think it's not prudent to give Nokia your credentials, but this is how this service is designed and there are reasons for doing it this way.

      Claiming there is some conspiracy is silly.

  4. A few details I forgot: by Anonymous Coward · · Score: 5, Informative

    Subby here: To clarify some things: this issue is on Nokia Messaging client. The only device (AFAIK) that currently ships with Nokia Messaging is E75. The older models use the old email/messaging software, that has nothing to do with Nokia Messaging service.

    I haven't checked how Nokia markets the Nokia Messaging service/client nowadays, but originally it was marketed as a service (the email proxy) and accompanying client, and you couldn't even use the client without the proxy service.

    Apparently this has changed now when E75 ships without the original standalone email client.

    So, E71 (or any other Nokia phone except E75) does not have this issue unless you have downloaded the separate Nokia Messaging software and use that for reading mail.

    1. Re:A few details I forgot: by GuldKalle · · Score: 4, Informative

      According to the bloggers followup, at least three models are affected:
      5800 (20.0.0.12)
      N79 (11.049)
      E75 (110.48.78)

      Also from the followup:
      Yes, I know there is a solution called Nokia Messaging (read more from here), but maybe I wasn't clear enough in my initial post: I am configuring direct IMAP/POP access to my own/company/organization/whatever email service and I am not using nor planning to use Nokia's messaging proxy.

      --
      What?
    2. Re:A few details I forgot: by Progoth · · Score: 3, Informative

      I'm on the server software team, so I'm not completely sure about the client - but as I understand it, the client's hitting our CCDS server to save you the step of putting in server names / ports /etc. The service was written for Nokia Messaging, and is used there, but is also valid for the client to configure its built-in client.

      /just finished implementing push, non-POP Hotmail support for Nokia Messaging not too long ago

  5. sneaky.. by Keruo · · Score: 4, Funny

    Good thing my email password is ";drop database;"

    --
    There are no atheists when recovering from tape backup.
    1. Re:sneaky.. by idontgno · · Score: 5, Funny

      Bobby Tables, is that you?

      --
      Welcome to the Panopticon. Used to be a prison, now it's your home.
  6. sounds like by Presto+Vivace · · Score: 5, Funny

    they're not very smart phones.

    1. Re:sounds like by Sockatume · · Score: 3, Funny

      I mentally inserted a Horatio sunglasses moment between your post title and the content.

      --
      No kidding!!! What do you say at this point?
  7. Re:An issue. by GuldKalle · · Score: 2, Informative

    nope.
    At least that was very clearly not his intention

    --
    What?
  8. Re:More amateurish BS from Nokia by Anonymusing · · Score: 2, Insightful

    The new "Mail by Nokia" system is hilariously crappy. They want you to give them the logins to your mail accounts, then they retrieve your email. Why would anyone do this?

    Probably for the same reason that people let Gmail do this.

    --
    Liberal? Conservative? Compare perspectives at Left-Right
  9. How else to do push email? by Elwood+P+Dowd · · Score: 4, Interesting

    As commenters have already pointed out on those blog posts, push IMAP will require that Nokia stores your credentials on servers that check for your new email as a proxy.

    This request is https. If, during setup, you asked for push IMAP, or any number of other imaginable features for your mail account, sending your credentials to a Nokia or wireless carrier server will be necessary.

    Actually... if it's https... how the hell can this guy tell what the URL request is? Has he patched their email client to snitch?

    --

    There are no trails. There are no trees out here.
    1. Re:How else to do push email? by godel_56 · · Score: 2, Insightful

      This request is https. If, during setup, you asked for push IMAP, or any number of other imaginable features for your mail account, sending your credentials to a Nokia or wireless carrier server will be necessary.

      Not only have you not RTFA but you haven't bothered to read the previous Slashdot comments. He is NOT using push email and he intercepted the communications on his own network using Webscarab and Wireshark. Nokia are only providing the comms terminal and have neither the need or the right to know his password or account details.

  10. Re:An issue. by Culture20 · · Score: 4, Insightful

    it is still not such a big deal.

    Not a big deal to have your credentials sent to a third party? What if Nokia's wizard used a Finnish government server instead?
    What if a Chinese-made phone was sending username/password to a Chinese government server?
    What if Antti Järjestelmävalvojanen, a (fictitious) Nokia network admin, starts storing them on his thumb drive?

  11. Class action suit? by PCM2 · · Score: 2, Interesting

    A class-action lawsuit? Seriously?

    Americans are crazy. One guy with a blog has discovered a security flaw. There has been no exploit for this flaw. Nobody is complaining that they've lost anything. What's more, this "issue" can be fixed with a firmware update. But no! Our sense of entitlement tells us that this is another opportunity to take a bunch of money out of the pockets of an eeeeeeeeeevvil corporation ... and put it into the pockets of a bunch of lawyers. Awesome.

    I love the part where Nokia hasn't even issued a response yet, and we interpret that as more reason to sue. Awesome.

    Every other post on Slashdot seems to be decrying how messed-up the system is in this country, and then the next post comes along demanding that we shovel more coal into the fires. Get your heads straight, please.

    --
    Breakfast served all day!
  12. Give me a break... by Capt.+Beyond · · Score: 2, Informative

    Here's to sensationalism and mis-representation.

    Nokoscope was not started by Nokia, but a one or two developers who happen to work for Nokia. It is not an official Nokia project, nor will it ever be, nor is it 'massive'. It will never be installed by default on any Nokia device.

    --
    -- "Perceptions create reality. By changing your perceptions you change your reality."