New Nokia Smartphones Leak E-mail Passwords

Noksu writes "Despite of the recent plunge in Nokia's profits, the company is doing well in the surveillance business. The infamous 'Lex Nokia' got ratified in Finland and the company has launched a massive Nokoscope research project for data gathering. In the meantime Nokia's new smartphones forward e-mail account credentials to a remote server. Surprisingly enough, this is done in HTTP request headers. The company has been informed, but there has not been an official statement yet. Time for class action suit in the US?"

Response from Nokia

[GuldKalle]

Nokias response

A few details I forgot:

Subby here: To clarify some things: this issue is on Nokia Messaging client. The only device (AFAIK) that currently ships with Nokia Messaging is E75. The older models use the old email/messaging software, that has nothing to do with Nokia Messaging service.

I haven't checked how Nokia markets the Nokia Messaging service/client nowadays, but originally it was marketed as a service (the email proxy) and accompanying client, and you couldn't even use the client without the proxy service.

Apparently this has changed now when E75 ships without the original standalone email client.

So, E71 (or any other Nokia phone except E75) does not have this issue unless you have downloaded the separate Nokia Messaging software and use that for reading mail.

Re:Non-issue?

[Nos.]

I guess Nokia getting your email account credentials isn't an issue for you.

Re:Solution:

[0100010001010011]

Hell, what if you use a ?, & or a # in your password? Something tells me they probably didn't do a url encode.

Although you could have some fun with dumb snoopers out there.

Just make your password:

https://ccds.serviceactivation.ext.nokia.com:443/api/v1/rest/?operation=ccds.provider.determineAccount&applicationCode=email&
address=test.user@mycompany.com&password=topsecret&
mcc=244&mnc=91&carrier=sonera

So the request would be:
https://ccds.serviceactivation.ext.nokia.com:443/api/v1/rest/?operation=ccds.provider.determineAccount&applicationCode=email&
address=test.user@mycompany.com&password=https://ccds.serviceactivation.ext.nokia.com:443/api/v1/rest/?operation=ccds.provider.determineAccount&applicationCode=email&
address=test.user@mycompany.com&password=topsecret&
mcc=244&mnc=91&carrier=sonera&
mcc=244&mnc=91&carrier=sonera

Re:Non-issue?

[InsertWittyNameHere]

If you setup an email on your Blackberry with BIS (not BES) then RIM has your credentials.

Why is it an issue now with only Nokia?

sounds like

[Presto+Vivace]

they're not very smart phones.

Re:sneaky..

[idontgno]

Bobby Tables, is that you?

Re:Non-issue?

[InsertWittyNameHere]

Basically their (RIM, etc) server will check for email, download it, compress it, then push it to your device.

So if you have 10 email accounts rather than your device constantly checking each one, wasting data and battery life, the server does all that work and you get push email functionality.

Re:Non-issue?

[Sethb]

This is the way BIS works. The reason you get great battery life out of a Blackberry is that RIM's server is hitting your POP/IMAP server and checking for mail, then it just pushes it to your Blackberry as needed. Compared to running a Windows Mobile phone with your IMAP connection being live all day, the battery & traffic savings are enormous. The downside is that you have to share your username & password with RIM, unless you're using BES, which is what enterprises who worry about giving out their passwords do...