Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Tapping the IPhone, Courtesy of Yahoo!

timothy posted about 6 years ago | from the when-tumblers-align dept.

Bug 27

tdalek writes "You may remember the recent Slashdot article about Yahoo! Zimbra Desktop exposing authentication information. It turns out that more Yahoo! applications are affected, although to a lesser degree. With Yahoo!'s desktop program, it transmitted the usernames and passwords in plaintext. Yahoo! is one of the lucky few default e-mail providers on the iPhone; sadly it looks like Apple didn't insist on encryption from Yahoo! On the iPhone, authentication is encrypted, but you can see all the messages sent and received in plaintext. Incoming messages are downloaded in plaintext over the standard imap port. Outgoing mail is a bit harder to find, it is apparently sent by an HTTP post request wrapped up inside a bundle of XML, but security through obscurity isn't very effective. If you have Yahoo! mail on your iPhone (and since its one of the default accounts, I'm assuming quite a few do), now would be a good time to forward it elsewhere for the time being."

cancel ×

27 comments

Sorry! There are no comments related to the filter you selected.

A little editing here ... (1)

eagee (1308589) | about 6 years ago | (#25319797)

It's an interesting article, but couldn't /. help the guy out with the text?

Re:A little editing here ... (2, Funny)

bill_mcgonigle (4333) | about 6 years ago | (#25319945)

It's an interesting article, but couldn't /. help the guy out with the text?

It turns out that more that other Slashdot editors busy other things.

so what? (0)

Anonymous Coward | about 6 years ago | (#25319953)

Email is insecure. That's not news for nerds. If it matters, use GPG.

Re:so what? (1)

Bert64 (520050) | about 6 years ago | (#25320205)

Is there a GPG plugin for the iphone yet?
The only one i saw for the blackberry was commercial and rather expensive... I don't think mobile email has much in the way of security just yet.

Re:so what? (3, Interesting)

repvik (96666) | about 6 years ago | (#25320519)

E-mail being insecure isn't news. Defaulting to plaintext auth almost is.

Re:so what? (1)

Jearil (154455) | about 6 years ago | (#25324681)

But if you RTFA, (or even the summary!) you'll notice that authentication IS encrypted. The email itself is just plain text which... well email itself is insecure.

Push Email (0)

Anonymous Coward | about 6 years ago | (#25320203)

Yahoo! Mail is the only free option for push email on the iPhone. Fixing that "bug" seems even more important to me.

Also, where are the push notifications? September is long gone.

Re:Push Email (2, Insightful)

bjackson1 (953136) | about 6 years ago | (#25320859)

Actually, there is another option. Mail2web has free exchange accounts which you can use with your iphone. My yahoo push was pretty hit or miss, but activesync with Mail2Web is pretty good.

On the other hand, Apple needs to get push notifications working. I'm tired of being strung along.

Internet standards! (3, Insightful)

NekoXP (67564) | about 6 years ago | (#25320267)

Wow, someone actually uses an internet standard email solution and everyone complains. Be happy they actually use IMAP, god damn it. You wouldn't get that from Microsoft.

So it's not done over SSL or TLS, that's unfortunate, but this isn't a bug, it's a lack of a feature. Who's going to be snooping your email traffic from an iPhone anyway? It's encrypted up to the point it gets out of the cell network, and if you're using WPA for your WiFi connection if you're near a decent access point, and someone would have to really work hard to actually get at your data.

God forbid the billions of SMTP servers transmitting your mail around the world (personally I use Google Apps so I get to use TLS to send my mail to them, but it will go out from Google to whatever other server in plaintext) too.

This state of affairs is incredible! I mean.. what is the world coming to? Excuse me while I slit my wrists..

Re:Internet standards! (1)

Fnord666 (889225) | about 6 years ago | (#25320499)

...and if you're using WPA for your WiFi connection if you're near a decent access point,...

Please keep in mind we are talking about iPhone users with yahoo email accounts here. All of that 'find out the WPA key, type it in, get it wrong, type it in again' stuff is so tedious. Especially when there is an access point labelled "Free WIFI" visible without all that annoying security key stuff to deal with. Just connect to that one real quick and check email before the bus/plane/whatever gets here.

Re:Internet standards! (1)

NekoXP (67564) | about 6 years ago | (#25320607)

Doesn't that basically come under the category "they don't give a shit about security, so who cares?"

Re:Internet standards! (4, Funny)

moderatorrater (1095745) | about 6 years ago | (#25320517)

Wow, someone actually uses an internet standard email solution and everyone complains...This state of affairs is incredible! I mean.. what is the world coming to? Excuse me while I slit my wrists.

You're right, they're clearly overreacting.

Re:Internet standards! (0)

Anonymous Coward | about 6 years ago | (#25321297)

Anyone on the same router as you can easily sniff packets of fellow users. Anyone using Yahoo mail over WiFi is at risk. All it takes is one asshole camping at Starbucks.

Re:Internet standards! (1)

tolan-b (230077) | about 6 years ago | (#25325645)

Anyone using 90% of IMAP accounts is equally at risk. This is a non-story, most IMAP mail isn't encrypted.

The real story is that email is bloody awful and needs replacing.

Re:Internet standards! (4, Informative)

bahamat (187909) | about 6 years ago | (#25321513)

It's not "an internet standard email solution". They use a proprietary and embarrassingly insecure login sequence which can be replayed to gain access to a user's mail at any time.

It's already been documented:
http://blog.dave.cridland.net/?p=32 [cridland.net]

And let's all welcome Timothy to last year, because it's been around for a while.

Re:Internet standards! (2, Insightful)

rsborg (111459) | about 6 years ago | (#25321529)

So it's not done over SSL or TLS, that's unfortunate, but this isn't a bug, it's a lack of a feature. Who's going to be snooping your email traffic from an iPhone anyway?

Non-secure public WiFi? That's quite common and very vulnerable to hacking. Of course, I use imap+gmail+SSL, but this was a bad idea.

I still feel that Yahoo doesn't really take security seriously, in that you can't really force yahoo mail to go secure over https like Google can (it only secures the login page).

Nothing wrong witth that (0)

Anonymous Coward | about 6 years ago | (#25320329)

Hold on a second, who said email was secure in the first place?

If your connection to your mail provider is encrypted, your mail provider's connection to other mail servers don't have to be.

If you want to be secure, use PGP

Re:Nothing wrong witth that (1)

repvik (96666) | about 6 years ago | (#25320631)

And how does PGP (or GPG) protect your login credentials?

IMAP is not encrypted by default. (1)

Batmensch (130224) | about 6 years ago | (#25320357)

I don't actually understand the point of this message. You either use IMAP over SSL (or POP, for that matter) or you don't. If you don't, it's not encrypted. Why would you expect it to be?

All Email is plain text (0)

Anonymous Coward | about 6 years ago | (#25321035)

Even if you fetch the last connection by IMAP or POP3 over SSL / TLS, it has perhaps passed half a dozen servers by SMTP in plaintext.

I encourage everyone to use TLS, but the reality is that your email is almost certain to be plaintext for most of it's exposure to the world.

Hence, PGP.

Misleading Subject (1)

prestonmichaelh (773400) | about 6 years ago | (#25321231)

You can't really "Tap the iphone" because of Yahoo, just possibly read unencrypted Yahoo mail. I really don't see what is different between this and somebody on a laptop using wireless to check their email through standard (unencrypted) pop and/or imap. On another note, who really cares? If you are using a Yahoo account for super secret things (trade/industry secrets, government secrets, etc), then you are dumb. If you are using a Yahoo account to talk to your aunt Mabel and get the latest C1Al!5 spam like 99% of the people out there, then who cares if your mail can be read? The only thing I could see that an average person might get would be things regarding banking, online accounts, etc., but pretty much everyplace has strict policies against sending any important information (account numbers, passwords, SSN) through email because email is insecure.

A little offtopic (0)

Anonymous Coward | about 6 years ago | (#25321587)

Holy sweetness, the author of this was my frosh leader last year at University of Waterloo.

I don't want to scare anyone, but... (0)

Anonymous Coward | about 6 years ago | (#25322933)

Most email isn't encrypted. SMTP isn't usually encrypted, and IMAP also often isn't. Even if your connection to the server is encrypted, the server-to-server connection that delivered the mail to your account probably wasn't, so... don't be surprised if there's no encryption, be surprised if there *is* encryption.

Bad Summary (1)

garote (682822) | about 6 years ago | (#25325351)

This warrants a heading like "Tapping The iPhone"? Har har, Slashdot. Way to give those banner ads another 50,000 rotations.

Tapping the iPhone? (0)

Anonymous Coward | about 6 years ago | (#25326843)

Shit, if this is gonna be that kind of party I'm gonna stick my dick in the mashed potatoes.

I didn't RTFA, but... (0)

Anonymous Coward | about 6 years ago | (#25326915)

I'm tired of people repeating what I think is utter bullshit about "security through obscurity isn't very effective." I always like to bring up several ancient texts that literally teams of scientists for over 8 decades have yet to decipher. In my limited knowledge and experience, I would say those obscure texts offer better security than a lot of things I read about, even here on /. I'm sure there is a dedicated area for discussing obfuscation vs. encryption, but since the OP brought it up I decided to chime in.

Every time I bring up ancient texts to some of the "security experts" I know, they pretend like it doesn't matter, and that encryption is still better. Yet in my mind when millions of man hours (and probably billions or trillions of CPU hours) are spent trying to decipher these with extremely little to no progress made, it actually is better.

I'm quite certain best practice is to mix both obfuscation and encryption. However, I fucking hate when someone suggests a pure one sided solution is fundamentally flawed, yet they cannot explain ancient obfuscated text passages to me.

Misleading Subject (1)

clint999 (1277046) | about 6 years ago | (#25330627)

E-mail being insecure isn't news. Defaulting to plaintext auth almost is.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?