Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Bug Cellphones Communications Encryption Portables (Apple) Security Hardware

Tapping the IPhone, Courtesy of Yahoo! 27

Posted by timothy from the when-tumblers-align dept.
tdalek writes "You may remember the recent Slashdot article about Yahoo! Zimbra Desktop exposing authentication information. It turns out that more Yahoo! applications are affected, although to a lesser degree. With Yahoo!'s desktop program, it transmitted the usernames and passwords in plaintext. Yahoo! is one of the lucky few default e-mail providers on the iPhone; sadly it looks like Apple didn't insist on encryption from Yahoo! On the iPhone, authentication is encrypted, but you can see all the messages sent and received in plaintext. Incoming messages are downloaded in plaintext over the standard imap port. Outgoing mail is a bit harder to find, it is apparently sent by an HTTP post request wrapped up inside a bundle of XML, but security through obscurity isn't very effective. If you have Yahoo! mail on your iPhone (and since its one of the default accounts, I'm assuming quite a few do), now would be a good time to forward it elsewhere for the time being."
This discussion has been archived. No new comments can be posted.

Tapping the IPhone, Courtesy of Yahoo! More

Tapping the IPhone, Courtesy of Yahoo!

Comments Filter:

  • Internet standards! (Score:4, Insightful)

    by NekoXP ( 67564 ) on Thursday October 09, 2008 @04:48PM (#25320267) Homepage

    Wow, someone actually uses an internet standard email solution and everyone complains. Be happy they actually use IMAP, god damn it. You wouldn't get that from Microsoft.

    So it's not done over SSL or TLS, that's unfortunate, but this isn't a bug, it's a lack of a feature. Who's going to be snooping your email traffic from an iPhone anyway? It's encrypted up to the point it gets out of the cell network, and if you're using WPA for your WiFi connection if you're near a decent access point, and someone would have to really work hard to actually get at your data.

    God forbid the billions of SMTP servers transmitting your mail around the world (personally I use Google Apps so I get to use TLS to send my mail to them, but it will go out from Google to whatever other server in plaintext) too.

    This state of affairs is incredible! I mean.. what is the world coming to? Excuse me while I slit my wrists..

  • Re:Push Email (Score:2, Insightful)

    by bjackson1 ( 953136 ) on Thursday October 09, 2008 @05:31PM (#25320859)

    Actually, there is another option. Mail2web has free exchange accounts which you can use with your iphone. My yahoo push was pretty hit or miss, but activesync with Mail2Web is pretty good.

    On the other hand, Apple needs to get push notifications working. I'm tired of being strung along.

  • Re:Internet standards! (Score:3, Insightful)

    by rsborg ( 111459 ) on Thursday October 09, 2008 @06:24PM (#25321529) Homepage

    So it's not done over SSL or TLS, that's unfortunate, but this isn't a bug, it's a lack of a feature. Who's going to be snooping your email traffic from an iPhone anyway?

    Non-secure public WiFi? That's quite common and very vulnerable to hacking. Of course, I use imap+gmail+SSL, but this was a bad idea.

    I still feel that Yahoo doesn't really take security seriously, in that you can't really force yahoo mail to go secure over https like Google can (it only secures the login page).

Slashdot Top Deals

Math is like love -- a simple idea but it can get complicated. -- R. Drabek

Close