• On BNET: 3 worst things about the iPhone 3G S
September 29, 2008 3:32 PM PDT

Yahoo's Zimbra e-mail program exposes passwords

by Elinor Mills

Passwords used to access Yahoo mail through the Zimbra client are sent over the Internet in clear text, a Canadian programmer says.

Holden Karau stumbled upon this problem while participating in the Yahoo University Hack Day at the University of Waterloo last week.

"The Yahoo imap server's used by the Yahoo Desktop don't support SSL and the password was being transmitted in plain text," Karau wrote in a blog post on Friday.

"What does this mean for you? If you use Zimbra to access your Yahoo mail, you almost certainly need to change your password and stop using Zimbra immediately (especially if you've ever done so over wireless)," he writes.

Not surprisingly, his hack didn't place in the competition. "In retrospect it probably wasn't the best forum to bring up the security defects, but it was the most convenient," Karau says.

He notified Yahoo about the problem during his presentation, but no one seemed concerned, he wrote in a post on Zimbra Forums.

A Zimbra representative wrote in a different post in that forum thread: "This problem has already been addressed in code, and fix is in the next release."

A Yahoo spokeswoman said she would check into the matter.

Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service, and the Associated Press. E-mail Elinor.
Topics:

Privacy & data protection

Tags:

Yahoo,

e-mail,

privacy

Share:
Digg
Del.icio.us
Reddit
advertisement
Click here!
Recent posts from Security
Users upset after CA anti-virus detects Windows system file as virus
DirectX targeted in Microsoft security updates
What will Google's Chrome OS watch you do?
Does Google's OS decrease or increase security risks?
Shortened URLs spike in e-mail spam
Security expert blesses Google Native Client technology
FAQ: How to vanquish mobile spam
Report: Social Security numbers can be predicted
Related
Add a Comment (Log in or register) (5 Comments)
  • prev
  • 1
  • next
by Solaris_User September 29, 2008 4:50 PM PDT
..but Zimbra uses SSL by default.. doesn't it?
Reply to this comment
by crazyirishhobo September 29, 2008 5:06 PM PDT
Zimbra uses SSL by default for other providers (like Gmail), but for some unknown reason doesn't with Yahoo! Neither Yahoo! nor Zimbra have been clear on why Yahoo! Desktop doesn't use SSL with Yahoo! mail (but oddly enough will with say Gmail :P)
Reply to this comment
by Solaris_User September 29, 2008 5:14 PM PDT
That's pretty bad then, does yahoo use ssl at all?

I'm of the opinion that all e-mail should be encrypted always.
Reply to this comment
by crazyirishhobo September 30, 2008 4:09 AM PDT
p.s. you might want to update http://www.zimbra.com/forums/109994-post2.html to http://www.zimbra.com/forums/general-questions/22736-zimbra-desktop-sends-yahoo-password-clear-not-secure.html
Reply to this comment
by michaelawsutton September 30, 2008 5:14 AM PDT
http://research.zscaler.com/2008/09/trusting-cloud.html [zscaler.com] When leveraging cloud based apps, in this case webmail, security is vital not only in the cloud but during transmission to the cloud. While this is often the responsibility of the enterprise itself, here is a situation where Yahoo! was responsible for all components (client and server) and still didn't get it right. Cloud computing will not succeed unless enterprises are able to trust those making online services available to them. Situations such as this, where security was clearly an afterthought, do not help to build the trust required for cloud computing to succeed.
Reply to this comment
(5 Comments)
  • prev
  • 1
  • next
advertisement

With Chrome, Google reignites the OS wars

roundup Google Chrome OS, due in 2010, underscores the Web giant's cloud-computing ambitions and opens new competition with Microsoft.
• What Chrome OS has on Windows that Linux doesn't

Laying a guilt trip on military robots

q&a Georgia Tech's Ronald Arkin aims to configure armed robots with a built-in "guilt system" to help them avoid civilian casualties.

About Security

Online security is threatened by more than hacking and phishing attempts. Check here for the latest updates on software vulnerabilities, data leaks, and rapidly spreading viruses--and learn how to protect your systems.

Add this feed to your online news reader

Security topics

advertisement
advertisement

Inside CNET News

Scroll Left Scroll Right
News
News site map
Latest headlines
Contact News
News staff
Corrections
CNET blogs
Popular topics
Apple iPhone
Apple iPod
Cell phones
Dell
GPS
LCD TV
CNET sites
CNET Site map
CNET TV
Downloads
News
Reviews
Shopper.com
More information
Newsletters
CNET Mobile
Customer Help Center
RSS
CNET Widgets
About CNET