Users of Yahoo's Zimbra will want to change their e-mail password and use a different client until the bug is fixed.
If you use Yahoo's Zimbra
client to check your e-mails, you might want to think about changing your passwords – a flaw in the program reveals your private information in plain text.
According to an article over on CNet
, Canadian hacker Holden Karau discovered the flaw in Zimbra whilst participating in the Yahoo University Hack Day
, a programme aimed at encouraging developers and hackers to play with Yahoo APIs and invent new applications. Unfortunately, Yahoo got rather more than it bargained for from Karau.
In a post on his blog
, Holden explains that the IMAP e-mail servers that Yahoo uses for its Yahoo Zimbra Desktop client don't support the Secure Sockets Layer encryption protocol, which means “the password was being transmitted [to the server] in plain text.
While the flaw requires a fairly unlikely attack – at some point between you and the server, an attacker would have to 'sniff' the traffic to capture the passwords – it is by no means impossible to exploit. For users on a wireless network, it's even more of an issue: wireless systems work by broadcasting all data to all clients, making it trivial to eavesdrop a conversation and pick up the password.
Karau admits that the Hack Day wasn't the best place to bring the issue up, but claims that – despite not placing in the competition, unsurprisingly – he has no regrets: “In retrospect it probably wasn't the best forum to bring up the security defects, but it was the most convenient.
A spokesperson for Yahoo claims that “[the] problem has already been addressed in code, and [a] fix is in the next release,
” although offers no explanation for how e-mail software in this day and age could be set to plain-text authentication.
Any Zimbra users out there panicking about who's reading their e-mails, or don't you care who has access to your spam? Share your thoughts over in the forums