Submission + - iPhone/Yahoo mail security vulnerability (isode.com)
Will Sheward writes: "Whilst trying to figure out how the iPhone was doing it's 'push' email with Yahoo (it seems it doesn't — but that's another story) we came across another security flaw. The iPhone authenticates with Yahoo using a private protocol called XYMPKI, used in conjunction with IMAP. Yahoo do not provide a general IMAP service — they use IMAP only for iPhone access. Although the iPhone supports TLS (Transport Layer Security) Yahoo! IMAP doesn't, which can lead to a replay attack.
Anyone able to eavesdrop on the authentication exchange, such as when using any open (public or private) wi-fi service, can easily gain full access to the user's email account until the user changes their password. We would advise against using the Yahoo service with an iPhone, because of this security risk. Full details here"