• On TV.com: TOP 10 Shows CANCELED Too Soon
September 29, 2008 3:32 PM PDT

Yahoo's Zimbra e-mail program exposes passwords

by Elinor Mills
  • Font size
  • Print
  • 5 comments
Share

Passwords used to access Yahoo mail through the Zimbra client are sent over the Internet in clear text, a Canadian programmer says.

Holden Karau stumbled upon this problem while participating in the Yahoo University Hack Day at the University of Waterloo last week.

"The Yahoo imap server's used by the Yahoo Desktop don't support SSL and the password was being transmitted in plain text," Karau wrote in a blog post on Friday.

"What does this mean for you? If you use Zimbra to access your Yahoo mail, you almost certainly need to change your password and stop using Zimbra immediately (especially if you've ever done so over wireless)," he writes.

Not surprisingly, his hack didn't place in the competition. "In retrospect it probably wasn't the best forum to bring up the security defects, but it was the most convenient," Karau says.

He notified Yahoo about the problem during his presentation, but no one seemed concerned, he wrote in a post on Zimbra Forums.

A Zimbra representative wrote in a different post in that forum thread: "This problem has already been addressed in code, and fix is in the next release."

A Yahoo spokeswoman said she would check into the matter.

Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service, and the Associated Press. E-mail Elinor.
Topics:

Privacy & data protection

Tags:

Yahoo,

e-mail,

privacy

Share:
Digg
Del.icio.us
Reddit
advertisement
Click Here
Recent posts from Security
PC Tools Internet Security 2010 reviewed
Google Chrome now bundled with Avast
Some Avast users must reinstall flagged files
Defense Dept. pulls software over privacy issues
Microsoft to plug critical IE hole targeted by exploit code
Google wants to unclog Net's DNS plumbing
Avast update falsely flags good apps as malware
Character limitations in passwords considered harmful
Related
Audio Slideshow: Hackers use tech to solve disaster relief challenges
Defense Dept. pulls software over privacy issues
Near-final Thunderbird 3 due next week
Rick Astley resurrected in iPhone worm
Don't take this bait (but you're safe if you do)
Mozilla issues near-final Thunderbird 3
Wrapping up Speeds and Feeds, part 4: Security
The Real Deal 187: Should you buy that warranty?
Add a Comment (Log in or register) (5 Comments)
  • prev
  • 1
  • next
by Solaris_User September 29, 2008 4:50 PM PDT
..but Zimbra uses SSL by default.. doesn't it?
Reply to this comment
by crazyirishhobo September 29, 2008 5:06 PM PDT
Zimbra uses SSL by default for other providers (like Gmail), but for some unknown reason doesn't with Yahoo! Neither Yahoo! nor Zimbra have been clear on why Yahoo! Desktop doesn't use SSL with Yahoo! mail (but oddly enough will with say Gmail :P)
Reply to this comment
by Solaris_User September 29, 2008 5:14 PM PDT
That's pretty bad then, does yahoo use ssl at all?

I'm of the opinion that all e-mail should be encrypted always.
Reply to this comment
by crazyirishhobo September 30, 2008 4:09 AM PDT
p.s. you might want to update http://www.zimbra.com/forums/109994-post2.html to http://www.zimbra.com/forums/general-questions/22736-zimbra-desktop-sends-yahoo-password-clear-not-secure.html
Reply to this comment
by michaelawsutton September 30, 2008 5:14 AM PDT
http://research.zscaler.com/2008/09/trusting-cloud.html [zscaler.com] When leveraging cloud based apps, in this case webmail, security is vital not only in the cloud but during transmission to the cloud. While this is often the responsibility of the enterprise itself, here is a situation where Yahoo! was responsible for all components (client and server) and still didn't get it right. Cloud computing will not succeed unless enterprises are able to trust those making online services available to them. Situations such as this, where security was clearly an afterthought, do not help to build the trust required for cloud computing to succeed.
Reply to this comment
(5 Comments)
  • prev
  • 1
  • next
advertisement

The yogurt makers of tech: Gadgets to avoid

Don't buy these one-trick ponies--unless you like gizmos that gather dust.

Google wants to unclog Net's DNS plumbing

The Net giant, ever eager for a faster Internet, debuts its Google Public DNS service. With it, Google could become even more central to the Net.

About Security

Online security is threatened by more than hacking and phishing attempts. Check here for the latest updates on software vulnerabilities, data leaks, and rapidly spreading viruses--and learn how to protect your systems.

Add this feed to your online news reader

Security topics

advertisement
advertisement

Inside CNET News

Scroll Left Scroll Right
News
News site map
Latest headlines
Contact News
News staff
Corrections
CNET blogs
Popular topics
Apple iPhone
Apple iPod
Cell phones
Dell
GPS
LCD TV
CNET sites
CNET Site map
CNET TV
Downloads
News
Reviews
Shopper.com
More information
Newsletters
CNET Mobile
Customer Help Center
RSS
CNET Widgets
About CNET