Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 Internet speed test! ×
Security

Submission + - iPhone/Yahoo mail security vulnerability (isode.com)

Will Sheward writes: "Whilst trying to figure out how the iPhone was doing it's 'push' email with Yahoo (it seems it doesn't — but that's another story) we came across another security flaw. The iPhone authenticates with Yahoo using a private protocol called XYMPKI, used in conjunction with IMAP. Yahoo do not provide a general IMAP service — they use IMAP only for iPhone access. Although the iPhone supports TLS (Transport Layer Security) Yahoo! IMAP doesn't, which can lead to a replay attack. Anyone able to eavesdrop on the authentication exchange, such as when using any open (public or private) wi-fi service, can easily gain full access to the user's email account until the user changes their password. We would advise against using the Yahoo service with an iPhone, because of this security risk. Full details here"
This discussion was created for logged-in users only, but now has been archived. No new comments can be posted.

iPhone/Yahoo mail security vulnerability

Comments Filter:

The IBM purchase of ROLM gives new meaning to the term "twisted pair". -- Howard Anderson, "Yankee Group"

Working...