Yahoo's Zimbra e-mail program exposes passwords
Passwords used to access Yahoo mail through the Zimbra client are sent over the Internet in clear text, a Canadian programmer says.
Holden Karau stumbled upon this problem while participating in the Yahoo University Hack Day at the University of Waterloo last week.
"The Yahoo imap server's used by the Yahoo Desktop don't support SSL and the password was being transmitted in plain text," Karau wrote in a blog post on Friday.
"What does this mean for you? If you use Zimbra to access your Yahoo mail, you almost certainly need to change your password and stop using Zimbra immediately (especially if you've ever done so over wireless)," he writes.
Not surprisingly, his hack didn't place in the competition. "In retrospect it probably wasn't the best forum to bring up the security defects, but it was the most convenient," Karau says.
He notified Yahoo about the problem during his presentation, but no one seemed concerned, he wrote in a post on Zimbra Forums.
A Zimbra representative wrote in a different post in that forum thread: "This problem has already been addressed in code, and fix is in the next release."
A Yahoo spokeswoman said she would check into the matter.
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service, and the Associated Press. E-mail Elinor. 






I'm of the opinion that all e-mail should be encrypted always.
- by michaelawsutton September 30, 2008 5:14 AM PDT
- http://research.zscaler.com/2008/09/trusting-cloud.html [zscaler.com] When leveraging cloud based apps, in this case webmail, security is vital not only in the cloud but during transmission to the cloud. While this is often the responsibility of the enterprise itself, here is a situation where Yahoo! was responsible for all components (client and server) and still didn't get it right. Cloud computing will not succeed unless enterprises are able to trust those making online services available to them. Situations such as this, where security was clearly an afterthought, do not help to build the trust required for cloud computing to succeed.
- Like this Reply to this comment
-
(5 Comments)