Friday, September 26, 2008

Another security diversion, Yahoo! Zimbra client exposes passwords in the clear over the wire (also yahoo IMAP access now available with some fudging)

I've never really intended for this blog to be about security, but sometimes it just lands in your lap.

Taking a break from my regular coding and school work, I went to the Yahoo "hacku" day in Waterloo. I wrote a basic system to help me deal with the problem of false negatives in e-mail spam which I'm planning on improving on. Since, like the majority of students I know, I use Gmail I initially made my program work with gmail. However, since the food was being purchased by Yahoo, I figured I should try and make my system work with Yahoo as well.

At first glance, it didn't seem possible. Yahoo! doesn't presently offer IMAP support, and all the cool parts of there mail API require a pro account (which I later got, but didn't have at the time). Doing some digging, suggested that Yahoo did syncing for the new Yahoo Zimbra desktop product over IMAP, which wasn't available to others. So I downloaded the Linux binary and with a bit of help from my good friend netstat found the imap host (not surprisingly ). If it had worked, all would have ended there without digging my nose around any further. Sadly, the server didn't want to talk to my client.

I figured I would look at the difference between what my client was sending and what the Zimbra client was sending. Launching wireshark and looking at port 143 quickly lead to two important discoveries.

1) The Yahoo! imap server's require that you announce you are Zimbra (just send [ID (guid 1 os "Linux" "os-version" "2.6" "vendor" "Zimbra")]) before auth :P
2) The Yahoo! imap server's used by the Yahoo Desktop don't support SSL and the password was being transmitted in plain text

Since it was about 5am at this point, the implications of #2 didn't really hit home until after taking my pre-class nap.

What does this mean for you? If you use Zimbra to access your Yahoo mail, you almost certainly need to change your password and stop using Zimbra immediately (especially if you've ever done so over wireless).


Sadly, my hack didn't end up placing. In retrospect it probably wasn't the best forum to bring up the security defects, but it was the most convenient. I did however get some free pizza out of it (although not enough to have leftovers :( ). The hackday brought forward a lot of interest people into writing interesting code, I certainly hope to see more of these (sponsored by Yahoo or otherwise) in the future.

I'm planning on adding a number of additional features and rolling out my anti-spam code slowly. If you're interested in hearing more about my not exactly a spam filter you can sign up for a mailing list at or just subscribe to my blog since I will likely post updates here as time goes on.

Free Blog Counter