Friday, September 26, 2008

Another security diversion, Yahoo! Zimbra client exposes passwords in the clear over the wire (also yahoo IMAP access now available with some fudging)

I've never really intended for this blog to be about security, but sometimes it just lands in your lap.

Taking a break from my regular coding and school work, I went to the Yahoo "hacku" day in Waterloo. I wrote a basic system to help me deal with the problem of false negatives in e-mail spam which I'm planning on improving on. Since, like the majority of students I know, I use Gmail I initially made my program work with gmail. However, since the food was being purchased by Yahoo, I figured I should try and make my system work with Yahoo as well.

At first glance, it didn't seem possible. Yahoo! doesn't presently offer IMAP support, and all the cool parts of there mail API require a pro account (which I later got, but didn't have at the time). Doing some digging, suggested that Yahoo did syncing for the new Yahoo Zimbra desktop product over IMAP, which wasn't available to others. So I downloaded the Linux binary and with a bit of help from my good friend netstat found the imap host (not surprisingly ). If it had worked, all would have ended there without digging my nose around any further. Sadly, the server didn't want to talk to my client.

I figured I would look at the difference between what my client was sending and what the Zimbra client was sending. Launching wireshark and looking at port 143 quickly lead to two important discoveries.

1) The Yahoo! imap server's require that you announce you are Zimbra (just send [ID (guid 1 os "Linux" "os-version" "2.6" "vendor" "Zimbra")]) before auth :P
2) The Yahoo! imap server's used by the Yahoo Desktop don't support SSL and the password was being transmitted in plain text

Since it was about 5am at this point, the implications of #2 didn't really hit home until after taking my pre-class nap.

What does this mean for you? If you use Zimbra to access your Yahoo mail, you almost certainly need to change your password and stop using Zimbra immediately (especially if you've ever done so over wireless).


Sadly, my hack didn't end up placing. In retrospect it probably wasn't the best forum to bring up the security defects, but it was the most convenient. I did however get some free pizza out of it (although not enough to have leftovers :( ). The hackday brought forward a lot of interest people into writing interesting code, I certainly hope to see more of these (sponsored by Yahoo or otherwise) in the future.

I'm planning on adding a number of additional features and rolling out my anti-spam code slowly. If you're interested in hearing more about my not exactly a spam filter you can sign up for a mailing list at or just subscribe to my blog since I will likely post updates here as time goes on.


Anonymous said...

This will be fixed in the next Zimbra Desktop version according to a post by a Zimbra employee on their forums.

Anonymous said...

lol ........

Holden Karau said...

Thats great news. Although it would be even better if they let people know the security risk in the old client publicly since slashdot only reaches so many people.
Great of course would have been having SSL turned on from the start :P
Although, I'm a little confused as to how Zimbra fixed it within there code base, my testing indicated that the Yahoo IMAP servers didn't want to speak over SSL to anyone, does the Zimbra team run the Yahoo IMAP servers?

Anonymous said...

IMAP is a old and in-secure protocol. If you use that protocl, you will of course send data in plain text.

Similar is the case with FTP.

You can either use IPSec to secure that data or use TLS.

Holden Karau said...

right, most providers (i.e. gmail) use TLS because plaintext is the failboat for passwords.

Anonymous said...

Since when did "XXX is not encrypted" become worthy of security attention?

Holden Karau said...

Since the 90s. MC Hammer power :P

David Fraser said...

There are other ways of authenticating over IMAP that don't use SSL but don't send your password in plain text - Digest-based authentication. Of course, SSL is preferable...

scott said...

I found this trying to use Yahoo IMAP with free account. At the moment it's possible by simply sending ID ("guid" "1") before LOGIN. Thanks for the very informative post!

Bijan said...

Scott is definitely right about the GUID command.

I have modified mutt and thunderbird to send that command and therefore to also enable IMAP access to yahoo mail:!_Mail#Free_IMAP_and_SMTPs_access

incoming server: (IMAP port 143)
outgoing server: (SMTP SSL port 465)
password: same as yahoo webmail

I made the small modifications to thunderbird based on YPOPs and FreePOPs.

Anonymous said...


I know very little about how IMAP works, but doesn't the Zimbra setup described here -- as well as Bijan's GUID command hack -- end up sending your password in the clear (port 143)?

I'm very keen to get TB 3 set up to work with Yahoo mail over IMAP, but cleartext passwords would be a showstopper.

Any enlightenment would be very appreciated.


HJ said...

Very impressive stuff. thanks for sharing

Free Blog Counter