• On The Insider: Britney's Bikini-Clad Top 10
advertisementGet Smart about Business Spending
September 29, 2008 3:32 PM PDT

Yahoo's Zimbra e-mail program exposes passwords

by Elinor Mills
  • Font size
  • Print
  • 5 comments

Passwords used to access Yahoo mail through the Zimbra client are sent over the Internet in clear text, a Canadian programmer says.

Holden Karau stumbled upon this problem while participating in the Yahoo University Hack Day at the University of Waterloo last week.

"The Yahoo imap server's used by the Yahoo Desktop don't support SSL and the password was being transmitted in plain text," Karau wrote in a blog post on Friday.

"What does this mean for you? If you use Zimbra to access your Yahoo mail, you almost certainly need to change your password and stop using Zimbra immediately (especially if you've ever done so over wireless)," he writes.

Not surprisingly, his hack didn't place in the competition. "In retrospect it probably wasn't the best forum to bring up the security defects, but it was the most convenient," Karau says.

He notified Yahoo about the problem during his presentation, but no one seemed concerned, he wrote in a post on Zimbra Forums.

A Zimbra representative wrote in a different post in that forum thread: "This problem has already been addressed in code, and fix is in the next release."

A Yahoo spokeswoman said she would check into the matter.

Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service, and the Associated Press. E-mail Elinor.
Topics:

Privacy & data protection

Tags:

Yahoo,

e-mail,

privacy

Share:
Digg
Del.icio.us
Reddit
advertisement
Click Here
Recent posts from Security
Big changes in Security Starter Kit 2010
Confidential 9/11 pager messages disclosed
Microsoft warns of IE exploit code in the wild
Chrome OS security: 'Sandboxing' and auto updates
E-tailers snagged in marketing 'scam' blame customers
McAfee warns about '12 Scams of Christmas'
Cisco launches iPhone security app
Town to photograph every car that enters and leaves
Related
Yahoo Mail outages plague some users
Audio Slideshow: Hackers use tech to solve disaster relief challenges
Near-final Thunderbird 3 due next week
Mozilla's messaging story gains credibility
Rick Astley resurrected in iPhone worm
Mozilla issues near-final Thunderbird 3
Slow Web site? Yahoo open-sources an app for that
Wrapping up Speeds and Feeds, part 4: Security
Add a Comment (Log in or register) (5 Comments)
  • prev
  • 1
  • next
by Solaris_User September 29, 2008 4:50 PM PDT
..but Zimbra uses SSL by default.. doesn't it?
Reply to this comment
by crazyirishhobo September 29, 2008 5:06 PM PDT
Zimbra uses SSL by default for other providers (like Gmail), but for some unknown reason doesn't with Yahoo! Neither Yahoo! nor Zimbra have been clear on why Yahoo! Desktop doesn't use SSL with Yahoo! mail (but oddly enough will with say Gmail :P)
Reply to this comment
by Solaris_User September 29, 2008 5:14 PM PDT
That's pretty bad then, does yahoo use ssl at all?

I'm of the opinion that all e-mail should be encrypted always.
Reply to this comment
by crazyirishhobo September 30, 2008 4:09 AM PDT
p.s. you might want to update http://www.zimbra.com/forums/109994-post2.html to http://www.zimbra.com/forums/general-questions/22736-zimbra-desktop-sends-yahoo-password-clear-not-secure.html
Reply to this comment
by michaelawsutton September 30, 2008 5:14 AM PDT
http://research.zscaler.com/2008/09/trusting-cloud.html [zscaler.com] When leveraging cloud based apps, in this case webmail, security is vital not only in the cloud but during transmission to the cloud. While this is often the responsibility of the enterprise itself, here is a situation where Yahoo! was responsible for all components (client and server) and still didn't get it right. Cloud computing will not succeed unless enterprises are able to trust those making online services available to them. Situations such as this, where security was clearly an afterthought, do not help to build the trust required for cloud computing to succeed.
Reply to this comment
(5 Comments)
  • prev
  • 1
  • next

The browser battles go on and on

roundup From Firefox to IE and from Chrome to Opera and Safari, there's no sitting still for browser makers looking to keep their products fresh and competitive.

3G wireless still holds promise

The next generation of 4G wireless may get all the headlines, but advanced 3G technology will likely dominate services for the next few years.

About Security

Online security is threatened by more than hacking and phishing attempts. Check here for the latest updates on software vulnerabilities, data leaks, and rapidly spreading viruses--and learn how to protect your systems.

Add this feed to your online news reader

Security topics

advertisement
advertisement

Inside CNET News

Scroll Left Scroll Right
News
News site map
Latest headlines
Contact News
News staff
Corrections
CNET blogs
Popular topics
Apple iPhone
Apple iPod
Cell phones
Dell
GPS
LCD TV
CNET sites
CNET Site map
CNET TV
Downloads
News
Reviews
Shopper.com
More information
Newsletters
CNET Mobile
Customer Help Center
RSS
CNET Widgets
About CNET