Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

Tapping the IPhone, Courtesy of Yahoo!

Posted by timothy on Thu Oct 09, 2008 03:16 PM
from the when-tumblers-align dept.
Bug Cellphones Communications Encryption Portables (Apple) Security Hardware
tdalek writes "You may remember the recent Slashdot article about Yahoo! Zimbra Desktop exposing authentication information. It turns out that more Yahoo! applications are affected, although to a lesser degree. With Yahoo!'s desktop program, it transmitted the usernames and passwords in plaintext. Yahoo! is one of the lucky few default e-mail providers on the iPhone; sadly it looks like Apple didn't insist on encryption from Yahoo! On the iPhone, authentication is encrypted, but you can see all the messages sent and received in plaintext. Incoming messages are downloaded in plaintext over the standard imap port. Outgoing mail is a bit harder to find, it is apparently sent by an HTTP post request wrapped up inside a bundle of XML, but security through obscurity isn't very effective. If you have Yahoo! mail on your iPhone (and since its one of the default accounts, I'm assuming quite a few do), now would be a good time to forward it elsewhere for the time being."
+ -
story

Related Stories

[+] Technology: Security Flaw In Yahoo Mail Exposes Plaintext Authentication Info 66 comments
holdenkarau writes "Yahoo!'s acquisition of open source mail client Zimbra has apparently brought some baggage to the mail team. The new Yahoo! desktop program transmits the authentication information in plain text. The flaw was discovered during a Yahoo 'hacku' Day at the University of Waterloo (the only Canadian school part of the trip). Compared to the recent news about Gmail exposing the names associated with accounts, this seems downright scary. So, if you have friends or relatives who might have installed Yahoo! desktop and value their e-mail accounts, now would be a good time to get them to change the password and switch back to the web interface."
Submission: Tapping the iPhone, brought to you by Yahoo! by tdalek (990756)
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Tapping the IPhone, Courtesy of Yahoo! 27 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.
  • It's an interesting article, but couldn't /. help the guy out with the text?

    • It's an interesting article, but couldn't /. help the guy out with the text?

      It turns out that more that other Slashdot editors busy other things.

    • Is there a GPG plugin for the iphone yet?
      The only one i saw for the blackberry was commercial and rather expensive... I don't think mobile email has much in the way of security just yet.

    • Re:so what? (Score:4, Interesting)

      by repvik (96666) <slashdot@kynisk.com> on Thursday October 09 2008, @04:05PM (#25320519)

      E-mail being insecure isn't news. Defaulting to plaintext auth almost is.

      • But if you RTFA, (or even the summary!) you'll notice that authentication IS encrypted. The email itself is just plain text which... well email itself is insecure.

    • Re: (Score:2, Insightful)

      by bjackson1 (953136)

      Actually, there is another option. Mail2web has free exchange accounts which you can use with your iphone. My yahoo push was pretty hit or miss, but activesync with Mail2Web is pretty good.

      On the other hand, Apple needs to get push notifications working. I'm tired of being strung along.

  • Internet standards! (Score:4, Insightful)

    by -Neko- (67564) on Thursday October 09 2008, @03:48PM (#25320267) Homepage

    Wow, someone actually uses an internet standard email solution and everyone complains. Be happy they actually use IMAP, god damn it. You wouldn't get that from Microsoft.

    So it's not done over SSL or TLS, that's unfortunate, but this isn't a bug, it's a lack of a feature. Who's going to be snooping your email traffic from an iPhone anyway? It's encrypted up to the point it gets out of the cell network, and if you're using WPA for your WiFi connection if you're near a decent access point, and someone would have to really work hard to actually get at your data.

    God forbid the billions of SMTP servers transmitting your mail around the world (personally I use Google Apps so I get to use TLS to send my mail to them, but it will go out from Google to whatever other server in plaintext) too.

    This state of affairs is incredible! I mean.. what is the world coming to? Excuse me while I slit my wrists..

    • ...and if you're using WPA for your WiFi connection if you're near a decent access point,...

      Please keep in mind we are talking about iPhone users with yahoo email accounts here. All of that 'find out the WPA key, type it in, get it wrong, type it in again' stuff is so tedious. Especially when there is an access point labelled "Free WIFI" visible without all that annoying security key stuff to deal with. Just connect to that one real quick and check email before the bus/plane/whatever gets here.

      • Doesn't that basically come under the category "they don't give a shit about security, so who cares?"

    • Re:Internet standards! (Score:5, Funny)

      by moderatorrater (1095745) on Thursday October 09 2008, @04:05PM (#25320517)

      Wow, someone actually uses an internet standard email solution and everyone complains...This state of affairs is incredible! I mean.. what is the world coming to? Excuse me while I slit my wrists.

      You're right, they're clearly overreacting.

      • Anyone using 90% of IMAP accounts is equally at risk. This is a non-story, most IMAP mail isn't encrypted.

        The real story is that email is bloody awful and needs replacing.

    • Re:Internet standards! (Score:5, Informative)

      by bahamat (187909) on Thursday October 09 2008, @05:23PM (#25321513) Homepage

      It's not "an internet standard email solution". They use a proprietary and embarrassingly insecure login sequence which can be replayed to gain access to a user's mail at any time.

      It's already been documented:
      http://blog.dave.cridland.net/?p=32 [cridland.net]

      And let's all welcome Timothy to last year, because it's been around for a while.

    • Re: (Score:3, Insightful)

      by rsborg (111459)

      So it's not done over SSL or TLS, that's unfortunate, but this isn't a bug, it's a lack of a feature. Who's going to be snooping your email traffic from an iPhone anyway?

      Non-secure public WiFi? That's quite common and very vulnerable to hacking. Of course, I use imap+gmail+SSL, but this was a bad idea.

      I still feel that Yahoo doesn't really take security seriously, in that you can't really force yahoo mail to go secure over https like Google can (it only secures the login page).

  • I don't actually understand the point of this message. You either use IMAP over SSL (or POP, for that matter) or you don't. If you don't, it's not encrypted. Why would you expect it to be?

  • You can't really "Tap the iphone" because of Yahoo, just possibly read unencrypted Yahoo mail. I really don't see what is different between this and somebody on a laptop using wireless to check their email through standard (unencrypted) pop and/or imap. On another note, who really cares? If you are using a Yahoo account for super secret things (trade/industry secrets, government secrets, etc), then you are dumb. If you are using a Yahoo account to talk to your aunt Mabel and get the latest C1Al!5 spam l

  • This warrants a heading like "Tapping The iPhone"? Har har, Slashdot. Way to give those banner ads another 50,000 rotations.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.