Slashdot Mirror
New Nokia Smartphones Leak E-mail Passwords
Noksu writes "Despite of the recent plunge in Nokia's profits, the company is doing well in the surveillance business. The infamous 'Lex Nokia' got ratified in Finland and the company has launched a massive Nokoscope research project for data gathering. In the meantime Nokia's new smartphones forward e-mail account credentials to a remote server. Surprisingly enough, this is done in HTTP request headers. The company has been informed, but there has not been an official statement yet. Time for class action suit in the US?"
Don't use 'GET /', 'HTTP/1.0', or 'user-agent' as your password, and you will be much less likely to have your password submitted automatically by an HTTP client program.
Nokias response
What?
Subby here: To clarify some things: this issue is on Nokia Messaging client. The only device (AFAIK) that currently ships with Nokia Messaging is E75. The older models use the old email/messaging software, that has nothing to do with Nokia Messaging service.
I haven't checked how Nokia markets the Nokia Messaging service/client nowadays, but originally it was marketed as a service (the email proxy) and accompanying client, and you couldn't even use the client without the proxy service.
Apparently this has changed now when E75 ships without the original standalone email client.
So, E71 (or any other Nokia phone except E75) does not have this issue unless you have downloaded the separate Nokia Messaging software and use that for reading mail.
I guess Nokia getting your email account credentials isn't an issue for you.
If you setup an email on your Blackberry with BIS (not BES) then RIM has your credentials.
Why is it an issue now with only Nokia?
Good thing my email password is ";drop database;"
There are no atheists when recovering from tape backup.
they're not very smart phones.
Basically their (RIM, etc) server will check for email, download it, compress it, then push it to your device.
So if you have 10 email accounts rather than your device constantly checking each one, wasting data and battery life, the server does all that work and you get push email functionality.
This is the way BIS works. The reason you get great battery life out of a Blackberry is that RIM's server is hitting your POP/IMAP server and checking for mail, then it just pushes it to your Blackberry as needed. Compared to running a Windows Mobile phone with your IMAP connection being live all day, the battery & traffic savings are enormous. The downside is that you have to share your username & password with RIM, unless you're using BES, which is what enterprises who worry about giving out their passwords do...
When in danger or in doubt, run in circles, scream and shout. --Robert A. Heinlein
As commenters have already pointed out on those blog posts, push IMAP will require that Nokia stores your credentials on servers that check for your new email as a proxy.
This request is https. If, during setup, you asked for push IMAP, or any number of other imaginable features for your mail account, sending your credentials to a Nokia or wireless carrier server will be necessary.
Actually... if it's https... how the hell can this guy tell what the URL request is? Has he patched their email client to snitch?
There are no trails. There are no trees out here.
This article is news, you are having comprehension issues. The article writer is not using or wanting a proxy to handle email.
The short version, since you missed it.
* Built in mail client set up wizard = spyware (And since there is no other method to create an account, how do you propose one avoid it?)
When I set up thunderbird to talk to MY imap/pop server, I don't expect it to go off and give my authentication details to Mozilla.
When I set up my phone in exactly the same way, I don't expect it to hand out my authentication info to Nokia.
Thunderbird doesn't do this. Nokia does. How is that not news? The system you are talking about is entirely different to the one the author is describing.
it is still not such a big deal.
Not a big deal to have your credentials sent to a third party? What if Nokia's wizard used a Finnish government server instead?
What if a Chinese-made phone was sending username/password to a Chinese government server?
What if Antti Järjestelmävalvojanen, a (fictitious) Nokia network admin, starts storing them on his thumb drive?
I know very well how Nokia Messaging works because I use it. This is their new email client that is now being shipped on recent higher-end phone(s), or that can be downloaded/installed on older models. It is made to compete with Blackberry services which work the same way.
You can complete its setup over the web - you go to http://email.nokia.com/ enter IMAP/POP server name/username/password and add up to 10 accounts to your main Nokia account.
Alternatively, you can do these steps on the phone itself, which is what the OP described.
You then run Nokia Messaging on your phone, enter your master credentials and have access to all of your accounts.
This is how this service is designed. You may think it's not prudent to give Nokia your credentials, but this is how this service is designed and there are reasons for doing it this way.
Claiming there is some conspiracy is silly.