More Yahoo! funtimes, this time with the iPhone

iPhone Sends Yahoo! Mail
Originally uploaded by dmcopernicus

You may remember, my previous blog post Another security diversion, Yahoo! Zimbra client exposes passwords in the clear over the wire (also yahoo IMAP access now available with some fudging). It turns out that more than just Yahoo! Zimbra Desktop is effected by this security oversight, although not to quite the same degree. After reading a post to the Zimbra forums suggesting Yahoo!'s iPhone applications use the same servers, I became worried that Yahoo!'s iPhone application might be affected by this.

I decided to enlist the help of my friend, Jerry (who has an iPhone), to confirm my suspicions. It turns out that Yahoo!'s One Connect application is secure. Sadly, it turned out that the iPhone mail application (with its pre-sets for Yahoo!) also fails to use encryption for everything but authentication. This means that, on the iPhone your username & password is secure. However, every e-mail (which is automatically downloaded) is transmitted over wireless (remember iPhone guys) in plaintext. In addition, doing a bit sleuthing reveals that Yahoo! is sending the outgoing mail over HTTP (you read that correctly, HTTP), and is in plaintext as well. This caught me by surprise, as I was expecting SMTP traffic. You can see the two captures of it sending & receiving here

Any e-mails from your bank, employer, girl/boy friend, is now visible to anybody with a laptop sitting in the same Starbucks as you. You are much safer if you only check the mail over the cell networks, but for those of us in countries without unlimited data plans, that isn't much consolation. In the opinion of this author, this is a phisher's wet dream.

Yahoo!'s security contact has been informed of these issues and I'm told there are no present plans to add encryption, however it is something which they would like to do at some point. Maybe if enough people point out that they don't like people snooping on their e-mail we could see this changing.