Please create an account to participate in the Slashdot moderation system

 


Forgot your password?
Close
typodupeerror
×
Yahoo!

Submission + - Security flaw in Yahoo mail exposes auth info

Submitted by tdalek
tdalek writes: After patching its plaintext authentication gaffe, Yahoo! Zimbra Desktop has fumbled the security and privacy ball once again. Yahoo! Zimbra now uses the standard authentication method used by the rest of the Yahoo! Mail family. However, unlike other implementations where invalid SSL certificates will throw up plenty of warnings for the user, Yahoo! Zimbra Desktop is trivially vulnerable to a man-in-the-middle attack, as it simply transmits the usernames & passwords regardless of who's picked up on the other side. With all of the news about DNS vulnerabilities, this seems like exceptionally poor timing for a MiTM. For the time being you may wish to switch to using the Yahoo! webmail interface, until this bug gets fixed.
Security

Submission + - Yahoo! Zimbra Desktop vulnerable to MiTM

Submitted by
holdenkarau
holdenkarau writes: "After patching the its plaintext authentication gaffe, Yahoo! Zimbra desktop has hit another stumbling block in the security road. Yahoo! Zimbra now uses the standard authentication method used by the rest of the Yahoo! Mail family. However, unlike other implementations where invalid SSL certificates will throw up plenty of warnings for the user, Yahoo! Zimbra Desktop is trivially vulnerable to a man-in-the-middle attack, as it simply transmits the usernames & passwords regardless of who's picked up on the other side. With all of the news about DNS vulnerabilities, this seems like exceptionally poor timing for a MiTM. For the time being you may wish to switch to using the Yahoo! webmail interface, until this bug gets fixed."
Books

Amazon Kindle Endorsed By Oprah 197

Posted by kdawson from the you-could-pay-to-read-slashdot dept.
Oprah Winfrey enthused about the Amazon Kindle on her show today — it's her "new favorite thing" — and had Jeff Bezos on to announce a $50-off offer good till Nov. 1. A plug on Oprah is ordinarily a sign that a product has crossed over into the mainstream. But her show's audience has been slipping lately, and it's unclear how many cash-strapped citizens will be willing to part with $309 (after the special offer) for a new techno-gadget, for which they then have to shell out more money for DRM-encrusted content.
Privacy

Submission + - E-mails of Yahoo! iPhone users exposed

Submitted by Anonymous Coward
An anonymous reader writes: Yahoo! is one of the lucky few default e-mail providers on the iPhone; sadly it looks like Apple didn't insist on encryption from Yahoo! Unlike the other default providers (gmail, etc.) Yahoo! doesn't use encryption for either downloading or sending messages. Incoming messages are downloaded in plaintext over the standard imap port. Outgoing mail is a bit harder to find, it is apparently sent by an HTTP post request slightly obscured inside a bundle of XML, but security through obscurity isn't very effective. While the GSM protocol is cracked, this is probably of more concern to users who use the iPhone's built in Wi-Fi.
Technology (Apple)

Submission + - Tapping the iPhone, brought to you by Yahoo!

Submitted by tdalek
tdalek writes: You may remember the recent Slashdot article about Yahoo! Zimbra Desktop exposing authentication information. It turns out that more that other Yahoo! applications are affected, although to a lesser degree. With Yahoo!'s desktop program, it transmitted the usernames and passwords in plaintext. Yahoo! is one of the lucky few default e-mail providers on the iPhone; sadly it looks like Apple didn't insist on encryption from Yahoo! On the iPhone, authentication is encrypted, but you can see all the messages sent and received in plaintext. Incoming messages are downloaded in plaintext over the standard imap port. Outgoing mail is a bit harder to find, it is apparently sent by an HTTP post request wrapped up inside a bundle of XML, but security through obscurity isn't very effective. If you have Yahoo! mail on your iPhone (and since its one of the default accounts, I'm assuming quite a few do), now would be a good time to forward it elsewhere for the time being, and using that account instead.
Security

Submission + - iPhone exposes emails in plaintext for Yahoo users 1

Submitted by
holdenkarau
holdenkarau writes: "You may remember the recent Slashdot article about Yahoo! Zimbra Desktop exposing usernames & passwords. It turns out that more than just Yahoo! Zimbra Desktop is affected, although to a lesser degree. With Yahoo!'s desktop program, it transmitted the usernames & passwords in plaintext. Yahoo! is one of the lucky few default e-mail providers on the iPhone; sadly it looks like Apple didn't insist on encryption from Yahoo! On the iPhone, authentication is encrypted, but you can see all the messages sent and received in plaintext. Incoming messages are downloaded in plaintext over the standard imap port. Outgoing mail is a bit harder to find, it is apparently sent by an HTTP post request wrapped up inside a bundle of XML, but security through obscurity isn't very effective. If you have Yahoo! mail on your iPhone (and since its one of the default accounts, I'm assuming quite a few do), you might want to look at forwarding it somewhere else for the time being, and using that account instead."
Yahoo!

Submission + - iPhone & Yahoo! mail expose the text of emails

Submitted by kingofthehobos
kingofthehobos writes: You may remember the recent Slashdot article about Yahoo! Desktop exposing usernames and passwords. It turns out that more than just Yahoo! Zimbra desktop is affected, although to a lesser degree. In the original security whole, Yahoo!'s desktop program transmitted the usernames & passwords in plaintext. On the iPhone, authentication is encrypted, however all the messages are downloaded in plaintext over the standard imap port. Outgoing mail is a bit harder to find, it is apparently sent by an HTTP post request, but security through obscurity isn't very effective. Looking at the screen capture there also appears to be a "imie" field, which seems like it could be useful for phone cloners (if people still do those sorts of shenanigans). If you have Yahoo! mail on your iPhone (and since its one of the default accounts, I'm assuming quite a few do), you might want to look at forwarding it somewhere else for the time being, and using that account instead.
Encryption

Submission + - Yahoo! exposes usernames & passwords

Submitted by
tiffanydanica
tiffanydanica writes: "In a move hearkening back to the days of telnet, Yahoo!'s newest addition (Yahoo! Desktop) to there mail system exposes the full usernames & passwords over the wire (or wireless) in plaintext. But thats not all, doing some digging leads to the likely conclusion that all Yahoo! IMAP based client programs (including the Yahoo! iPhone) application are sending passwords in plaintext. CNET news, the Inquirer & Wired's Webmonkey are all reporting on the story (although in true Wired fashion the individual is called a "hacker"). So, if you know anyone who might have installed Yahoo! Zimbra Desktop, or used Yahoo!'s iPhone application passing the news on and getting them to switch back to the web interface and change their password (until the issues are fixed) would be ++good."
Privacy

Submission + - Yahoo! exposes user passwords (uwaterloo.ca) 3

Submitted by kingofthehobos
kingofthehobos writes: In a move hearkening back to the days of telnet, Yahoo!'s newest addition to there mail system exposes the full usernames & passwords over the wire (or wireless) in plaintext. Both CNET news & Wired's Webmonkey are reporting on the story (although in true Wired fashion the individual is called a "hacker"). So, if you know anyone who might have installed Yahoo! Zimbra Desktop getting them to switch back to the web interface and change there password (until the issues are fixed) would be ++good.
Security

Submission + - How secure is our software?

Submitted by alphabetasigmagamma
alphabetasigmagamma writes: Is it reasonable to expect that sensitive information should be encrypted before sent across the internet? Recent news, such as the security breach discovered in Yahoo desktop's mail software, as reported by CNET and Wired's Webmonkey has made many people wonder how safe their personal information is, when being sent through third party applications. In the case of Yahoo, personal information, such as passwords were sent in clear text across the wire, exposing users to possible security breaches. Can we trust our sensitive information in a software ecosystem that encompasses hundreds of pieces of software that interact with the internet everyday?
Security

Submission + - Security flaw in Yahoo mail exposes plaintext auth

Submitted by
holdenkarau
holdenkarau writes: "Yahoo!'s acquisition of opensource mail client Zimbra has apparently brought some baggage to the mail team. The new Yahoo! desktop program transmits the authentication information in plain text. Ironically enough, the flaw was discovered during a Yahoo "hacku" day at the University of Waterloo (the only Canadian school part of the trip). Compared to the recent hoopla about gmail exposing the names associated with accounts, this seems down right scary. So if you have friends or relatives who might have installed Yahoo! desktop and value their e-mail accounts, now would be a good time to get them to change the password and switch back to the oh so retro web interface."
Portables

Submission + - Canadians get behind the OpenMoko/FreeRunner

Submitted by mario
mario writes: Now that the OpenMoko platform has stabilized enough to provide the OM2008 image (supporting the three major toolkits), things are starting to heat up.Linuxdevices is reporting on the start of a port of Devicescape's connect application.Koolu (another Canadian company) is also doing development for it's W.E. phone (a branded FreeRunner). Which leads me to ask, where are the American companies?
Linux Business

Submission + - Firms start developing for the OpenMoko/FreeRunner

Submitted by
Anonymous Coward
Anonymous Coward writes: "Now that the OpenMoko platform has stabilized enough to provide a usable development image, things are starting to heat up. The freedom of the OpenMoko platform certainly seems to be working, developers are getting behind the OpenMoko in a big way. Linuxdevices&Linux.com are both reporting on the start of a port of Devicescape's connect application. Koolu is also doing development for it's W.E. phone (a branded FreeRunner). Hopefully, without the restrictiveness of cell-phone carriers we can star to see some truly innovative mobile applications come forward."
Portables

Submission + - Firms begin developing for the OpenMoko/FreeRunner

Submitted by cscholden
cscholden writes: Now that the OpenMoko platform has stabilized enough to provide a usable development image, things are starting to heat up. The freedom of the OpenMoko platform certainly seems to be working, developers are getting behind the OpenMoko in a big way. Linuxdevices & NewsForge/Linux.com are reporting on the start of a port of Devicescape's connect application.Koolu (another Canadian company) is also doing development for it's W.E. phone (a branded FreeRunner). Hopefully, without the restrictiveness of cell-phone carriers we can star to see some truly innovative mobile applications on the OpenMoko.

Slashdot Top Deals

"It's the best thing since professional golfers on 'ludes." -- Rick Obidiah

Close