Will Sheward writes: "Whilst trying to figure out how the iPhone was doing it's 'push' email with Yahoo (it seems it doesn't — but that's another story) we came across another security flaw. The iPhone authenticates with Yahoo using a private protocol called XYMPKI, used in conjunction with IMAP. Yahoo do not provide a general IMAP service — they use IMAP only for iPhone access. Although the iPhone supports TLS (Transport Layer Security) Yahoo! IMAP doesn't, which can lead to a replay attack. Anyone able to eavesdrop on the authentication exchange, such as when using any open (public or private) wi-fi service, can easily gain full access to the user's email account until the user changes their password. We would advise against using the Yahoo service with an iPhone, because of this security risk. Full details here"
Attend or create a Slashdot 20th anniversary party! DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Check out the new SourceForge HTML5 Internet speed test. ×