Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
Get HideMyAss! VPN, PC Mag's Top 10 VPNs of 2016 for 55% off for a Limited Time ×
Security

Zimbra Desktop Vulnerable to Man-in-the-Middle Attack 49

tiffanydanica writes "For all the flack Mozilla gets about its new security warnings for https sites, at least it warns the user when a mismatch occurs. Sadly the new Yahoo! Zimbra Desktop (released in part to fix some security issues), doesn't bother validating the SSL certificate on the other side before sending along the username and password, making it vulnerable to a man-in-the-middle attack. This is certainly a step up from transmitting the information in the clear, since the attacker must switch from being passive to active, but with all of the DNS security problems, it would be fairly trivial for a malicious attacker to grab a large number of Yahoo! accounts (be it for phishing or spaming). Hopefully this issue will get fixed shortly, but for now Yahoo! Zimbra Desktop users may wish to use the webmail interface."
Security

Submission + - Yahoo! exposes auth info via man-in-the-middle

tiffanydanica writes: For all the flack Mozilla gets about its new security warnings for https sites, at least it warns the user when a miss-match occurs. Sadly the new Yahoo! Zimbra Desktop (released in part to fix some security issues), doesn't bother validating the SSL certificate on the other side before sending along the username and password making it vulnerable to a man-in-the-middle attack. This is certainly a step up from transmitting the information in the clear, since the attacker must switch from being passive to active, but with all of the DNS security problems & it would be fairly trivial for a malicious attacker to grab a large number of Yahoo! accounts (be it for phishing or spaming). Hopefully this issue will get fixed shortly, but for now Yahoo! Zimbra Desktop users may wish to use the webmail interface.
Security

Submission + - Yahoo! Zimbra Desktop vulnerable to MiTM

holdenkarau writes: "After patching the its plaintext authentication gaffe, Yahoo! Zimbra desktop has hit another stumbling block in the security road. Yahoo! Zimbra now uses the standard authentication method used by the rest of the Yahoo! Mail family. However, unlike other implementations where invalid SSL certificates will throw up plenty of warnings for the user, Yahoo! Zimbra Desktop is trivially vulnerable to a man-in-the-middle attack, as it simply transmits the usernames & passwords regardless of who's picked up on the other side. With all of the news about DNS vulnerabilities, this seems like exceptionally poor timing for a MiTM. For the time being you may wish to switch to using the Yahoo! webmail interface, until this bug gets fixed."
Security

Submission + - iPhone exposes emails in plaintext for Yahoo users 1

holdenkarau writes: "You may remember the recent Slashdot article about Yahoo! Zimbra Desktop exposing usernames & passwords. It turns out that more than just Yahoo! Zimbra Desktop is affected, although to a lesser degree. With Yahoo!'s desktop program, it transmitted the usernames & passwords in plaintext. Yahoo! is one of the lucky few default e-mail providers on the iPhone; sadly it looks like Apple didn't insist on encryption from Yahoo! On the iPhone, authentication is encrypted, but you can see all the messages sent and received in plaintext. Incoming messages are downloaded in plaintext over the standard imap port. Outgoing mail is a bit harder to find, it is apparently sent by an HTTP post request wrapped up inside a bundle of XML, but security through obscurity isn't very effective. If you have Yahoo! mail on your iPhone (and since its one of the default accounts, I'm assuming quite a few do), you might want to look at forwarding it somewhere else for the time being, and using that account instead."

Slashdot Top Deals

Often statistics are used as a drunken man uses lampposts -- for support rather than illumination.

Working...