Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

New Nokia Smartphones Leak E-mail Passwords

ScuttleMonkey posted more than 5 years ago | from the lazy-engineers dept.

Security 94

Noksu writes "Despite of the recent plunge in Nokia's profits, the company is doing well in the surveillance business. The infamous 'Lex Nokia' got ratified in Finland and the company has launched a massive Nokoscope research project for data gathering. In the meantime Nokia's new smartphones forward e-mail account credentials to a remote server. Surprisingly enough, this is done in HTTP request headers. The company has been informed, but there has not been an official statement yet. Time for class action suit in the US?"

cancel ×

94 comments

Sorry! There are no comments related to the filter you selected.

Nah (0)

Anonymous Coward | more than 5 years ago | (#27617803)

Only "thugs" use Nokia.

Solution: (4, Funny)

forkazoo (138186) | more than 5 years ago | (#27617813)

Don't use 'GET /', 'HTTP/1.0', or 'user-agent' as your password, and you will be much less likely to have your password submitted automatically by an HTTP client program.

Re:Solution: (5, Informative)

0100010001010011 (652467) | more than 5 years ago | (#27618081)

Hell, what if you use a ?, & or a # in your password? Something tells me they probably didn't do a url encode.

Although you could have some fun with dumb snoopers out there.

Just make your password:

https://ccds.serviceactivation.ext.nokia.com:443/api/v1/rest/?operation=ccds.provider.determineAccount&applicationCode=email&
address=test.user@mycompany.com&password=topsecret&
mcc=244&mnc=91&carrier=sonera

So the request would be:
https://ccds.serviceactivation.ext.nokia.com:443/api/v1/rest/?operation=ccds.provider.determineAccount&applicationCode=email&
address=test.user@mycompany.com&password=https://ccds.serviceactivation.ext.nokia.com:443/api/v1/rest/?operation=ccds.provider.determineAccount&applicationCode=email&
address=test.user@mycompany.com&password=topsecret&
mcc=244&mnc=91&carrier=sonera&
mcc=244&mnc=91&carrier=sonera

Re:Solution: (4, Insightful)

tritonman (998572) | more than 5 years ago | (#27618165)

After reading the article, it doesn't seem that it uses the HTTP headers, it appears to use actual URL parameters, which is probably 100x worse. Either way, if it sends plain text passwords, that's just idiotic.

Re:Solution: (1)

X0563511 (793323) | more than 5 years ago | (#27618503)

If it's HTTPS, those URL parameters are not transmitted in the clear.

Or am I horribly mistaken? I hope not. Please let me be right?

Re:Solution: (3, Insightful)

janeuner (815461) | more than 5 years ago | (#27619271)

In the clear? No.

In apache access logs? muahahah....

they aren't using Apache (1)

fuzzylollipop (851039) | more than 5 years ago | (#27754711)

what makes you think they are using apache?

Re:Solution: (1, Interesting)

Anonymous Coward | more than 5 years ago | (#27619405)

just like when you login to slashdot or almost any other site that requires a login. Yep, your password is sent as an unencrypted URL parameter.

But it's an unencrypted password sent over an encrypted HTTPS channel (usually, hopefully), so it's not really "plain text".

Neither is worse nor better: headers, or URL parameters. Server code can just as easily read headers as it can URL params and save them to a database or whatever it wants. And so could a sniffer if it's not HTTPS.

You're basically saying that nearly every login that's ever been widely used on the web is idiotic. Of course using x509 certificate authentication or (questionably) NTLM and a few other more obscure alternatives exist.

The issue here is more ethical than insecure technology. It isn't about whether someone could steal your password from your phone or while it's on the way to Nokia (that is all properly secured, even during this process as HTTPS is used), but whether you want Nokia to have the password at all and use it on your behalf.

I personally would be ok with it, if I felt there was enough benefit in what it provided. I currently do the same thing with Emoze, another push mail service.

But I disagree if this really is the default and only option on new phones. To trust someone with the password to your personal email is a decision a user needs to be able to make for themselves and be clearly informed that Nokia will need their password to use the service.

Re:Solution: (1)

Vexorian (959249) | more than 5 years ago | (#27621439)

what? bastard hacker! don't publish my passwords!

Response from Nokia (5, Interesting)

GuldKalle (1065310) | more than 5 years ago | (#27617891)

Nokias response [blogspot.com]

Re:Response from Nokia MODDER UPWARDS (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#27618101)

mah kung-fu is weak

(seven days without sex makes one week)

Re:Response from Nokia (1)

Thelasko (1196535) | more than 5 years ago | (#27618521)

Which amounts to:

Nokia takes security seriously

Straight out of Public Relations 101. [consumerist.com]

Time for class action suit in the US? (0)

Anonymous Coward | more than 5 years ago | (#27617897)

What the fuck is "in the us"?

Oh, you mean the USA. Stop calling yourselves the "US", it's "USA".

Re:Time for class action suit in the US? (1)

Camann (1486759) | more than 5 years ago | (#27618009)

I think their internal communities [slashdot.org] are declaring sovereignty as countries.

Re:Time for class action suit in the US? (0)

Anonymous Coward | more than 5 years ago | (#27621017)

According to whom? The Oxford English Dictionary or you?

Re:Time for class action suit in the US? (0)

Anonymous Coward | more than 5 years ago | (#27621887)

What the fuck is "in the uk"?

Oh, you mean the UKoGBaNI. Stop calling yourselves the "UK", it's "UKoGBaNI".

Anonymous Coward (0, Insightful)

Anonymous Coward | more than 5 years ago | (#27617957)

Welcome to the world of push email? How else would you like us to do it, buddy?

Re:Anonymous Coward (0)

Anonymous Coward | more than 5 years ago | (#27618163)

Why does it make sense to have push email? Does it make sense to have push e-banking? I suppose this is all optional, right?

Re:Anonymous Coward (0)

Anonymous Coward | more than 5 years ago | (#27618305)

Ummm, how about Exchange ActiveSync DirectPush directly from your company's Exchange server, no middlemen involved? Or IMAP IDLE? You could argue that it's less efficient, but maybe you don't want to hand over your password to Nokia.

Re:Anonymous Coward (1)

causality (777677) | more than 5 years ago | (#27618683)

Ummm, how about Exchange ActiveSync DirectPush directly from your company's Exchange server, no middlemen involved? Or IMAP IDLE? You could argue that it's less efficient, but maybe you don't want to hand over your password to Nokia.

I presume that the phone has a Web browser. So, it may make sense to use a Web mail service with this phone. That way, the username/password credentials are encrypted via SSL and are never given to Nokia's servers. I realize that the issue mentioned in the summary also involves SSL-encrypted HTTP requests, though that is the method of transport by which the credentials are given to Noka.

I don't personally use Gmail because I am not fond of how easily this allows Google to collect information about me (i.e. for advertisements). Having said that, its ability to collect e-mail from multiple POP/IMAP mailboxes may be a very handy feature for those who don't share my views on privacy. It seems like a good way to have all of the features that this Nokia service provides without having to entrust your e-mail passwords to an entity that can positively identify you because they have your billing information. That is, compared to Google's aggregate and (probably) non-personally identifiable data collection, the situation with Nokia is potentially much worse.

Re:Anonymous Coward (1)

DrSkwid (118965) | more than 5 years ago | (#27626107)

In what way does connecting to my personal IMAP server require sending my password to Nokia?

Esp. as the workaround is to use the wrong password while using the wizard and change it afterwards.

rtard

Non-issue? (3, Informative)

TrebleJunkie (208060) | more than 5 years ago | (#27617967)

This isn't really an issue, is it?

Yes, it sends credentials through to Nokia, but it does _not_ use an un-encrypted HTTP connection to do it. It uses SSL/HTTPS. It's also _not_ done in HTTP Header messages, it's going through in the GET request.

*shrug*

Re:Non-issue? (5, Insightful)

Nos. (179609) | more than 5 years ago | (#27618055)

I guess Nokia getting your email account credentials isn't an issue for you.

Re:Non-issue? (5, Insightful)

InsertWittyNameHere (1438813) | more than 5 years ago | (#27618161)

If you setup an email on your Blackberry with BIS (not BES) then RIM has your credentials.

Why is it an issue now with only Nokia?

Re:Non-issue? (1, Informative)

Anonymous Coward | more than 5 years ago | (#27618277)

Exactly..

Nokia system works the same way - you create a master account at Nokia, which holds your credentials for other email accounts.

Mobile email client then talks to Nokia servers who talk to all of your mailboxes.

This article is not news.

Re:Non-issue? (4, Informative)

digitalchinky (650880) | more than 5 years ago | (#27620935)

This article is news, you are having comprehension issues. The article writer is not using or wanting a proxy to handle email.

The short version, since you missed it.

* Built in mail client set up wizard = spyware (And since there is no other method to create an account, how do you propose one avoid it?)

When I set up thunderbird to talk to MY imap/pop server, I don't expect it to go off and give my authentication details to Mozilla.
When I set up my phone in exactly the same way, I don't expect it to hand out my authentication info to Nokia.

Thunderbird doesn't do this. Nokia does. How is that not news? The system you are talking about is entirely different to the one the author is describing.

Re:Non-issue? (4, Interesting)

Anonymous Coward | more than 5 years ago | (#27623079)

I know very well how Nokia Messaging works because I use it. This is their new email client that is now being shipped on recent higher-end phone(s), or that can be downloaded/installed on older models. It is made to compete with Blackberry services which work the same way.

You can complete its setup over the web - you go to http://email.nokia.com/ [nokia.com] enter IMAP/POP server name/username/password and add up to 10 accounts to your main Nokia account.

Alternatively, you can do these steps on the phone itself, which is what the OP described.

You then run Nokia Messaging on your phone, enter your master credentials and have access to all of your accounts.

This is how this service is designed. You may think it's not prudent to give Nokia your credentials, but this is how this service is designed and there are reasons for doing it this way.

Claiming there is some conspiracy is silly.

Re:Non-issue? (0)

Anonymous Coward | more than 5 years ago | (#27625511)

You have no idea that there are different types and different versions of email software on Nokia's phones, do you? You should read more before spouting off nonsensical comments like the above. What you said is not in any way relevant to the case at hand.

Re:Non-issue? (0)

Anonymous Coward | more than 5 years ago | (#27630239)

You're confused. This isn't talking about the service. The password gets sent even if the phone accesses the E-mail server directly. Users have a reasonable expectation that when they set up an E-mail client on the phone, their password doesn't get sent to a third party server without their consent; there is no technical reason to do so, Nokia phones have never done that before, and it's a gaping security hole.

Re:Non-issue? (1)

dissy (172727) | more than 5 years ago | (#27627423)

It's called buying the right device for your needs.

You don't go out and buy a hammer and complain it doesn't work well removing screws.

If you want a device to check your email directly, then you should probably buy a device that can check your email directly.

These devices do not work that way, so sound like the wrong choice if that is what you need.

There are plenty of devices on the market that can check email directly and don't require their own server component in between. This person should be looking at those.

He clearly realizes what he needs, but refuses to buy a device that can do it, and now expects RIM to change and be one of those other devices instead.

When such information is one google search away, you can't expect us to feel much sympathy for their mistake.

Re:Non-issue? (1)

Nos. (179609) | more than 5 years ago | (#27618279)

I've never used BIS (or BES) so I'm not sure. But why would any email client need to pass the credentials it has to a third party to connect to a POP/IMAP server? If RIM is doing the same thing, then they should be called on it as well.

This is no different than if Outlook sent your credentials to MS, or Thunderbird sent them to Mozilla.

Re:Non-issue? (5, Informative)

InsertWittyNameHere (1438813) | more than 5 years ago | (#27618469)

Basically their (RIM, etc) server will check for email, download it, compress it, then push it to your device.

So if you have 10 email accounts rather than your device constantly checking each one, wasting data and battery life, the server does all that work and you get push email functionality.

Re:Non-issue? (0)

Anonymous Coward | more than 5 years ago | (#27618477)

Barebones email client shipped with Nokia phones does talk to your IMAP/POP3 server directly.

This post is about new Nokia Messaging client which works similarly to BIS/BES, where your credentials are stored on Nokia servers, and your email client talks to them. Nokia server can then "push" new email notifications to mobile client whenever it wants to.

In other words, author doesn't know what he is talking about and brought out tin foil hat for no reason.

Re:Non-issue? (1)

h4rr4r (612664) | more than 5 years ago | (#27618485)

They do it because the blackberry has no real mail client. It is all done via some mess involving RIMs servers to get your mail for you.

This is because the kind of people who use these devices have no idea how any of it works, they think it is all magic.

Re:Non-issue? (5, Informative)

Sethb (9355) | more than 5 years ago | (#27618651)

This is the way BIS works. The reason you get great battery life out of a Blackberry is that RIM's server is hitting your POP/IMAP server and checking for mail, then it just pushes it to your Blackberry as needed. Compared to running a Windows Mobile phone with your IMAP connection being live all day, the battery & traffic savings are enormous. The downside is that you have to share your username & password with RIM, unless you're using BES, which is what enterprises who worry about giving out their passwords do...

Re:Non-issue? (1)

ivucica (1001089) | more than 5 years ago | (#27620183)

I have no info about BIS and I never used BlackBerry, but it sounds similar to what I observed Opera Mini doing.

However, doesn't IMAP already "push" you information when you get new email into your inbox? And, how is it possible for the device to get the mail if it doesn't keep an open connection to the server? The only other way is polling... and that's not push mail, that's standard POP mail.

I honestly don't know what could be so different about BIS.

So, please tell me: what's so different compared to IMAP (which also notifies the client about mails), except that IMAP doesn't do compression?

Re:Non-issue? (0)

Anonymous Coward | more than 5 years ago | (#27620849)

Proprietary RIM garbage?

Re:Non-issue? (0)

Anonymous Coward | more than 5 years ago | (#27646675)

Traditional, basic IMAP does NOT "push" information; the client connects, reviews headers, and retrieves desired messages, then closes the connection.

IMAP IDLE, from RFC2177 and supported in IMAP4 optionally, refers to "real-time notification." So, if your email client supports IMAP IDLE, then conceivably you don't need the Nokia Messaging client.

I don't know, however, what the impact (or even viability) of doing IMAP IDLE with multiple servers.

For customers with limited data plans (who still does that anymore?), aggregating multiple email services through a service, such as that depicted here, makes some sense, because the device is notified when there is mail waiting, and otherwise is idle. (No pun intended.)

This all boils down to choice - either use a third-party Symbian email client that interacts directly with your mail servers, or use the included tool. I use Nokia Messaging, and I don't have an issue with any of this; but that's a matter of personal choice.

Re:Non-issue? (1)

ivucica (1001089) | more than 5 years ago | (#27650877)

Too bad you posted as AC, I hope you notice this:

Why are you not worried that Nokia is unnecessarily collecting your username and password without your knowledge? Shouldn't your data stay on your device?

From what I gathered, Nokia Messaging doesn't do anything differently from standard clients ... except that it includes a wizard that allows you to more easily configure your account. And it does so by collecting your username and password; why?

Re:Non-issue? (1)

Nos. (179609) | more than 5 years ago | (#27618913)

Ahh, didn't realize that this is how RIM's "push" email worked. Even still, according to the articles on the blog, this is not Nokia's Messaging server, just their basic POP/IMAP client. So again, Nokia shouldn't need it.

Re:Non-issue? (2, Interesting)

causality (777677) | more than 5 years ago | (#27618893)

If you setup an email on your Blackberry with BIS (not BES) then RIM has your credentials.

Why is it an issue now with only Nokia?

That's a good question. I'll give you my best guess at an answer, though a guess is all that it is.

I should say up front that I don't know very much at all about Blackberries. I will assume that what you said is correct, that a Blackberry with BIS presents the very same privacy issue because it shares username/password credentials with a third party. Thus, the privacy issues posed by predecessors like the Blackberry can be viewed as a mistake or at least as less-than-optimal. If it's a mistake, then there is no good reason why Nokia could not have learned from this previous example and designed their system in such a way that no third parties need to be trusted with confidential information.

It should be possible to equip the phone with a standard POP3/IMAP e-mail client. Logically, if a phone can have a Web browser it can also have such an e-mail client. Then the login credentials can be stored in the phone itself and the phone can use APOP, TLS, or SSL to communicate securely with the e-mail server. Then Nokia is merely the carrier and has no reason to ever see anyone's login credentials and those credentials are safe(r) from other eavesdroppers because they are not sent as plaintext. If these new Nokia phones could do that, then that would represent an improvement on the earlier example of the Blackberry.

The thing I don't understand is why anyone would ever design the system in such a way that a third party needs to be trusted with confidential information. It seems unnecessary. What benefit does this provide that absolutely cannot be arranged by an independent e-mail client that stores such information locally on the phone? I suppose that same question can be rephrased as "does server-push provide any benefit that client-pull with a reasonable polling time could not also provide?"

Re:Non-issue? (1)

InsertWittyNameHere (1438813) | more than 5 years ago | (#27619035)

It was more of a rhetorical question.

Re:Non-issue? (1)

causality (777677) | more than 5 years ago | (#27619213)

It was more of a rhetorical question.

You may have intended it that way, yes. That's the funny thing about posting in public forums -- people may respond in all sorts of ways, even those you did not intend! Okay, I'm being facetious. Seriously though, rhetorical questions are much more effective when the answer is obvious or assumed. They tend to fall apart when there are multiple answers and multiple viewpoints from which those answers can come.

I'm responding this way because you're frankly coming across as rather smug. It's as though you want me to feel like I wasted my time and effort in responding to you and should have known better than to do such a thing, merely because you had something different in mind. It doesn't have to be that way.

Re:Non-issue? (2, Interesting)

Binestar (28861) | more than 5 years ago | (#27619227)

The thing I don't understand is why anyone would ever design the system in such a way that a third party needs to be trusted with confidential information. It seems unnecessary. What benefit does this provide that absolutely cannot be arranged by an independent e-mail client that stores such information locally on the phone? I suppose that same question can be rephrased as "does server-push provide any benefit that client-pull with a reasonable polling time could not also provide?"

Battery life. By having the Blackberry server push the email to your blackberry you save the battery time and bandwidth of checking your email every 10-15 minutes.

If you don't want them to have your password get a BES.

It starts to become a does $.002 == .002cents question.

Re:Non-issue? (2, Informative)

ivucica (1001089) | more than 5 years ago | (#27620221)

IMAP, on a properly written client, in online mode, keeps the connection open and the server notifies the client when new messages arrive.

Nokias aren't Blackberry (1)

speedtux (1307149) | more than 5 years ago | (#27630161)

Well, that's the reason many people don't buy Blackberry phones. Nokia used to be different. But apparently Nokia phones are off the table as well now for anybody who cares about security.

And why does it matter? Because once the password is sent in plain text anywhere, you have no control over it. It likely gets stored in Nokias server logs and on their backup tapes. Nokia employees can access it. Police can subpoena it. Intruders can sniff it. Etc.

Re:Non-issue? (1)

Hurricane78 (562437) | more than 5 years ago | (#27620217)

Or Google. Or Microsoft. Or any other e-mail-service-provider.

First thing I did on my phone, was install my own PIM- and communication suite. I would have loved to replace the OS, but this is still a bit of a rocky ride. Too rocky for a new phone with guarantee.

Re:Non-issue? (0)

Anonymous Coward | more than 5 years ago | (#27618123)

So Noksu and ScuttleMonkey are morons? Got it.

An issue. (1)

Benanov (583592) | more than 5 years ago | (#27618531)

RTFBP again. He's not using any proxy server or messaging depot--he's going to connect directly to his company's mail server, and not have Nokia cache the email for him.

Why does Nokia need a copy of his credentials in that case?

(They don't.)

Re:An issue. (0)

VP (32928) | more than 5 years ago | (#27618653)

RTFBP again. He's not using any proxy server or messaging depot

Wrong, he is using Nokia Messaging, which is a service Nokia provides. This is what the "wizard" is all about.

Re:An issue. (2, Informative)

GuldKalle (1065310) | more than 5 years ago | (#27618895)

nope [slashdot.org] .
At least that was very clearly not his intention

Re:An issue. (1, Redundant)

VP (32928) | more than 5 years ago | (#27619461)

OK, so it isn't Nokia Messaging, it is the new wizard application, which checks that your credentials are valid by actually logging into the e-mail account, and if there are problems, alerts you to check your credentials instead of creating the account on your phone. While it would have been nice to get a warning that the wizard is doing that via a Nokia server, it is still not such a big deal.

Re:An issue. (4, Insightful)

Culture20 (968837) | more than 5 years ago | (#27620977)

it is still not such a big deal.

Not a big deal to have your credentials sent to a third party? What if Nokia's wizard used a Finnish government server instead?
What if a Chinese-made phone was sending username/password to a Chinese government server?
What if Antti Järjestelmävalvojanen, a (fictitious) Nokia network admin, starts storing them on his thumb drive?

Re:An issue. (0)

Anonymous Coward | more than 5 years ago | (#27622365)

What if your network operator logs your SMTP traffic and hands it over to an evil corrupt government ... oh crap they do, if you live in the UK.

Re:Non-issue? (0)

Anonymous Coward | more than 5 years ago | (#27637707)

Umh.. GET is a HTTP Header, and it's not encrypted.

A few details I forgot: (5, Informative)

Anonymous Coward | more than 5 years ago | (#27617983)

Subby here: To clarify some things: this issue is on Nokia Messaging client. The only device (AFAIK) that currently ships with Nokia Messaging is E75. The older models use the old email/messaging software, that has nothing to do with Nokia Messaging service.

I haven't checked how Nokia markets the Nokia Messaging service/client nowadays, but originally it was marketed as a service (the email proxy) and accompanying client, and you couldn't even use the client without the proxy service.

Apparently this has changed now when E75 ships without the original standalone email client.

So, E71 (or any other Nokia phone except E75) does not have this issue unless you have downloaded the separate Nokia Messaging software and use that for reading mail.

Re:A few details I forgot: (4, Informative)

GuldKalle (1065310) | more than 5 years ago | (#27618337)

According to the bloggers followup [blogspot.com] , at least three models are affected:
5800 (20.0.0.12)
N79 (11.049)
E75 (110.48.78)

Also from the followup:
Yes, I know there is a solution called Nokia Messaging (read more from here), but maybe I wasn't clear enough in my initial post: I am configuring direct IMAP/POP access to my own/company/organization/whatever email service and I am not using nor planning to use Nokia's messaging proxy.

Re:A few details I forgot: (3, Informative)

Progoth (98669) | more than 5 years ago | (#27619471)

I'm on the server software team, so I'm not completely sure about the client - but as I understand it, the client's hitting our CCDS server to save you the step of putting in server names / ports /etc. The service was written for Nokia Messaging, and is used there, but is also valid for the client to configure its built-in client.

/just finished implementing push, non-POP Hotmail support for Nokia Messaging not too long ago

Re:A few details I forgot: (1)

Hurricane78 (562437) | more than 5 years ago | (#27620039)

Hmm... how can it know the server name / port / etc, if I for example have
some.person@secure-server.tld,
and the server would be something like
ssmtp://some.person:super-secret_password@mail.not-in-mx.secure-server.tld:39482?

By the way: Why not just let users enter such an url?

Re:A few details I forgot: (1)

Hurricane78 (562437) | more than 5 years ago | (#27620071)

And don't tell me "because the're too stupid and it is too irrelevant". The same was true for HTTP URLs in the beginning of the WWW. People learned it anyway. If you can do math at school and drive a car, stop whining and learn how to enter a damn URL! ^^

Re:A few details I forgot: (1)

drolli (522659) | more than 5 years ago | (#27623403)

How often haveyou seen average people typing mor complicated urls than www.google.com? most of them are too stupid to find the navigation bar and eat the shit of whatever search bar or start page is provided on their computer for whatever reason.

Re:A few details I forgot: (0)

Anonymous Coward | more than 5 years ago | (#27647157)

Because a majority of the users of the platform use GMail, Hotmail, Yahoo Mail, etc. and for those users, they do not need to specify (and potentially enter incorrectly), making the user experience smooth for those who are not as technically inclined.

If you are connecting to a "non-standard" mail domain, and you are the first subscriber to do so, then you must provide the missing information. Once tested, however, the next user need only enter their mail address (from which the server information is derived) and the password (for testing the credentials).

Re:A few details I forgot: (1)

ivucica (1001089) | more than 5 years ago | (#27620301)

...and why isn't domain name (e.g. "gmail.com") sufficient for this autoconfiguration step? That is, why is the username + password needed?

Only reason I can guess is "ok, let's get Nokia's server to try logging into mail.domain.com, then pop.mail.com, then imap.domain.com, then domain.com, and then give up" but ... in that case user should explicitly mark a checkbox "Send my user credentials to Nokia for autoconfiguration".

Can you elaborate why it isn't so?

PS Otherwise this service would be a great idea ... but silent sending of user data to a third party, no matter how trusted, is simply not cool :)

Re:A few details I forgot: (0)

Anonymous Coward | more than 5 years ago | (#27618343)

It also looks like you forgot to RTFA, as it clearly states that this issue has nothing to do with Nokia Messaging, and is reproducible on a lot of nokia models.

Come on ... (0)

Anonymous Coward | more than 5 years ago | (#27618155)

The Editing Nazi Demi-Gods are not happy.

Despite the recent plunge ...

In the meantime, Nokia's ...

Surprisingly enough, this is being done in the HTTP request headers.

Time for a class action suit in the US?

Wrong department ... (0)

Anonymous Coward | more than 5 years ago | (#27618285)

Posted by ScuttleMonkey on Friday April 17, @06:34PM
from the lazy-editing dept.

Fixed that for you.

sneaky.. (4, Funny)

Keruo (771880) | more than 5 years ago | (#27618307)

Good thing my email password is ";drop database;"

Re:sneaky.. (5, Funny)

idontgno (624372) | more than 5 years ago | (#27618449)

Bobby Tables [xkcd.com] , is that you?

Re:sneaky.. (1)

ivucica (1001089) | more than 5 years ago | (#27620329)

No, it's Captain Obvious [wikia.com] to the rescue! :)

would probabley not have happened with FOSS (0, Offtopic)

godrik (1287354) | more than 5 years ago | (#27618373)

seriously, such flow would have been quickly spotted by computer geeks if the software source were available. And it would have been corrected by the community if it had been open source.

sounds like (5, Funny)

Presto Vivace (882157) | more than 5 years ago | (#27618403)

they're not very smart phones.

Re:sounds like (3, Funny)

Sockatume (732728) | more than 5 years ago | (#27621819)

I mentally inserted a Horatio sunglasses moment between your post title and the content.

Isn't this how AT&T supports email? (0)

Anonymous Coward | more than 5 years ago | (#27618457)

I think (but I could be wrong) that AT&T supports email on some (or all) mobile devices where there is no push server involved. AT&T reads the email and presents it to the user through a browser.

Re:Isn't this how AT&T supports email? (1)

h4rr4r (612664) | more than 5 years ago | (#27618625)

I believe they do.
If they wrote mail clients that did IMAP Idle this would not ever need to be done, or at least very rarely.

Re:Isn't this how AT&T supports email? (1)

whoever57 (658626) | more than 5 years ago | (#27619297)

I think (but I could be wrong) that AT&T supports email on some (or all) mobile devices where there is no push server involved. AT&T reads the email and presents it to the user through a browser.

I believe they do. If they wrote mail clients that did IMAP Idle this would not ever need to be done, or at least very rarely

Which means that AT&T is doing exactly the same as Nokia is doing -- getting the unencrypted passwords of their customer's third party email accounts.

can we mod the story troll? (0)

Anonymous Coward | more than 5 years ago | (#27618587)

dito

More amateurish BS from Nokia (1, Insightful)

Anonymous Coward | more than 5 years ago | (#27618837)

I'm not surprised that the amateurs at Nokia would do this. The S60 platform on the whole seems like a throwback to the early 2000's, back when smartphone users were a marginalized bunch who would put up with niggling annoyances as long as they could receive email on their devices. If the iPhone OS is pretty much OS X on a phone, then S60 is like running Windows 98 on your phone.

I'm pretty much convinced that anyone using a Nokia smartphone right now is a masochist. My experience with an E71 has been horrendous. The built-in email client cannot handle HTML and even though there's IMAP support, you can't move messages between folders. You can't even save sent messages to your own IMAP folder, so they're forever stuck in your phone's own "Sent" folder. You can either pull messages at varying time intervals, or you can use IMAP IDLE without message retrieval, but inexplicably you can't have both at the same time. Even if you use IMAP IDLE, only changes to the inbox are monitored. Why does anyone even use the built-in client? Well, only Nokia's own applications are given the ability to present notifications on the home screen.

Almost everybody who uses their E71 for serious emailing chooses to buy Profimail for $30, even though it also has quite a few missing features. It can't detect the phone's volume settings, so if you're in a meeting you'll have to silence both your phone and Profimail. The vibration alert doesn't work on my phone.

The new "Mail by Nokia" system is hilariously crappy. They want you to give them the logins to your mail accounts, then they retrieve your email. Why would anyone do this? The only benefits, as far as I can tell, are push notifications and a slightly less ugly interface that completely ignores your own UI settings. The (very beta) web interface for setting up your Mail by Nokia account is incredibly limited. I still can't figure out how I managed to set up my FastMail account to work with them. After using Nokia Mail for a day I decided that these amateurs are probably not going to be storing my information in any secure manner, so I disabled my Nokia account and changed all of my email passwords.

The whole platform is locked down because applications need to be signed. The Symbian Foundation, in the interest of locking down your phone past the point of usability, uses an insanely complex system to approve applications before signing them. The entry cost is enormous, on the order of thousands of dollars, which effectively shuts out most hobbyists from producing signed applications. Instead, they release unsigned applications, and all the users have to allow their phones to accept them. So what was the point of locking down the platform in the first place?

Maybe I'm spoiled from having used an iPod touch. The App Store is amazingly simple and convenient, and the community has a critical mass of users and developers. For most common uses, I can assume that there's an app out there that can do what I want. Not so for a Nokia phone.

Re:More amateurish BS from Nokia (2, Insightful)

Anonymusing (1450747) | more than 5 years ago | (#27619091)

The new "Mail by Nokia" system is hilariously crappy. They want you to give them the logins to your mail accounts, then they retrieve your email. Why would anyone do this?

Probably for the same reason that people let Gmail do this [google.com] .

Re:More amateurish BS from Nokia (1)

Tony Hoyle (11698) | more than 5 years ago | (#27620583)

Works for Blackberry too.

How else to do push email? (4, Interesting)

Elwood P Dowd (16933) | more than 5 years ago | (#27619483)

As commenters have already pointed out on those blog posts, push IMAP will require that Nokia stores your credentials on servers that check for your new email as a proxy.

This request is https. If, during setup, you asked for push IMAP, or any number of other imaginable features for your mail account, sending your credentials to a Nokia or wireless carrier server will be necessary.

Actually... if it's https... how the hell can this guy tell what the URL request is? Has he patched their email client to snitch?

Re:How else to do push email? (2, Insightful)

godel_56 (1287256) | more than 5 years ago | (#27620065)

This request is https. If, during setup, you asked for push IMAP, or any number of other imaginable features for your mail account, sending your credentials to a Nokia or wireless carrier server will be necessary.

Not only have you not RTFA but you haven't bothered to read the previous Slashdot comments. He is NOT using push email and he intercepted the communications on his own network using Webscarab and Wireshark. Nokia are only providing the comms terminal and have neither the need or the right to know his password or account details.

Re:How else to do push email? (1)

Elwood P Dowd (16933) | more than 5 years ago | (#27620611)

So, https doesn't encrypt the URL request? I thought the only thing visible to a MitM is the domain.

Re:How else to do push email? (0)

Anonymous Coward | more than 5 years ago | (#27647345)

source and destination IP address and SSL session ID. All other aspects of the communication is enveloped within the encrypted payload. The only exception would be if the user was behind a proxy that might be communicating with the end client in the clear, and offloading the SSL between the proxy and the end server.

I guess he was using WiFi instead of the carrier's network, if he has intercepted the request from his device. But if that's the case, I don't see how the request could be in the clear.

Need more information, doesn't seem viable as presented.

Re:How else to do push email? (1)

Elwood P Dowd (16933) | more than 5 years ago | (#27647959)

Thank you. Thought I was going crazy for a second.

iphone (0)

Anonymous Coward | more than 5 years ago | (#27619575)

Iphone doesn't do this

The Real Reason (1)

mtoivola (1227614) | more than 5 years ago | (#27620373)

They're sending the email address, username and password to Nokia to do determine right settings (servername etc) for the email account. I suppose they have some sort of database of email settings for common email providers. Of course, we all know that they have to have the username and password, the domain part of the email address wouldn't be enough. I don't feel like a proud Finn right now. I'm also not very happy to deal with the issue, since I do it-support to a company that recently got few of these new fancy smart phones and is using them for email too. No use to set up SSL both ways, thanks to backdoors in the device.

Excellent. (1)

Anachragnome (1008495) | more than 5 years ago | (#27620439)

Now that I know it's only Nokia, I don't have to throw away my perfectly good, still functioning, non-leaking, 6 YEAR old SAMSUNG cellphone.

I was getting worried.

inexcusable (0, Flamebait)

speedtux (1307149) | more than 5 years ago | (#27620771)

Even Microsoft hasn't sunk to that level of incompetence and blatant violation of user privacy. Transmitting the user's password to a third party server in plain text over an unencrypted link is inexcusable.

I have several Nokia phones; obviously, I need to get rid of them. If they make such a fundamental mistake, Nokia obviously cannot be trusted with anything.

Fortunately, with Android, we now have a reasonable alternative.

Re:inexcusable (1)

VGPowerlord (621254) | more than 5 years ago | (#27622001)

Transmitting the user's password to a third party server in plain text over an unencrypted link is inexcusable.

Is it unencrypted? You can have unencrypted https connections, but one would assume they would encrypt it. ...you did catch that s after the http in the url?

No, what you should be concerned about is that it's being transmitted at all, since it's not required for the operation of the phone!

Re:inexcusable (1)

anss123 (985305) | more than 5 years ago | (#27622729)

I have several Nokia phones; obviously, I need to get rid of them. If they make such a fundamental mistake, Nokia obviously cannot be trusted with anything.

The nGage should have been hint enough that there's something basic Nokia lacks, but this particular service is implemented sanely (encrypted, actually usefull and all that). Remember, never trust the edit summary.

Class action suit? (2, Interesting)

PCM2 (4486) | more than 5 years ago | (#27621157)

A class-action lawsuit? Seriously?

Americans are crazy. One guy with a blog has discovered a security flaw. There has been no exploit for this flaw. Nobody is complaining that they've lost anything. What's more, this "issue" can be fixed with a firmware update. But no! Our sense of entitlement tells us that this is another opportunity to take a bunch of money out of the pockets of an eeeeeeeeeevvil corporation ... and put it into the pockets of a bunch of lawyers. Awesome.

I love the part where Nokia hasn't even issued a response yet, and we interpret that as more reason to sue. Awesome.

Every other post on Slashdot seems to be decrying how messed-up the system is in this country, and then the next post comes along demanding that we shovel more coal into the fires. Get your heads straight, please.

Re:Class action suit? (1)

dbcad7 (771464) | more than 5 years ago | (#27621359)

I thought the same thing.. and then I realize that Nokia is not the i-phone.. if it was there would be all kinds of defenders popping out of the woodwork. I am willing to bet neither the blogger nor the submitter even has a Nokia phone, but this is all too much BS for me to bother reading the blog to check.

Stupid, (1)

EddyPearson (901263) | more than 5 years ago | (#27621377)

This is the price you pay for "push" e-mail on most mobile devices.

Instead of having the phone constantly connected, polling and costing money in data bills, the network does it at their end, and can then notify the phone using some GSM jiggerypokery.

FUD.

Give me a break... (2, Informative)

Capt. Beyond (179592) | more than 5 years ago | (#27623919)

Here's to sensationalism and mis-representation.

Nokoscope was not started by Nokia, but a one or two developers who happen to work for Nokia. It is not an official Nokia project, nor will it ever be, nor is it 'massive'. It will never be installed by default on any Nokia device.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>