bit-tech.net

Yahoo's Zimbra exposes passwords

Yahoo's Zimbra exposes passwords

Users of Yahoo's Zimbra will want to change their e-mail password and use a different client until the bug is fixed.

If you use Yahoo's Zimbra client to check your e-mails, you might want to think about changing your passwords – a flaw in the program reveals your private information in plain text.

According to an article over on CNet, Canadian hacker Holden Karau discovered the flaw in Zimbra whilst participating in the Yahoo University Hack Day, a programme aimed at encouraging developers and hackers to play with Yahoo APIs and invent new applications. Unfortunately, Yahoo got rather more than it bargained for from Karau.

In a post on his blog, Holden explains that the IMAP e-mail servers that Yahoo uses for its Yahoo Zimbra Desktop client don't support the Secure Sockets Layer encryption protocol, which means “the password was being transmitted [to the server] in plain text.

While the flaw requires a fairly unlikely attack – at some point between you and the server, an attacker would have to 'sniff' the traffic to capture the passwords – it is by no means impossible to exploit. For users on a wireless network, it's even more of an issue: wireless systems work by broadcasting all data to all clients, making it trivial to eavesdrop a conversation and pick up the password.

Karau admits that the Hack Day wasn't the best place to bring the issue up, but claims that – despite not placing in the competition, unsurprisingly – he has no regrets: “In retrospect it probably wasn't the best forum to bring up the security defects, but it was the most convenient.

A spokesperson for Yahoo claims that “[the] problem has already been addressed in code, and [a] fix is in the next release,” although offers no explanation for how e-mail software in this day and age could be set to plain-text authentication.

Any Zimbra users out there panicking about who's reading their e-mails, or don't you care who has access to your spam? Share your thoughts over in the forums.

4 Comments

Discuss in the forums Reply
M4RTIN 30th September 2008, 15:11 Quote
i'd never even heard of zimbra before this.
p3n 30th September 2008, 15:54 Quote
Theres no such thing as bad publicity!
iwog 30th September 2008, 16:17 Quote
Quote:
Originally Posted by M4RTIN
i'd never even heard of zimbra before this.

+1

So I guess the fall out isn't going to be massive
1ad7 1st October 2008, 01:39 Quote
yeah, I was like oooo cool name whats zimbra, then I thought wait yahoo has a email client? Then I was glad I dont have a need for such things.... plain text passwords..... seriously.... someone needs to be fired.
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.



Discuss in the forums