Yahoo passwords exposed by Zimbra
Published: 30 Sep 2008 12:07 BST
Passwords used to access Yahoo Mail through the Zimbra client are sent over the internet in clear text, a Canadian programmer has said.
Holden Karau stumbled upon the problem while participating in the Yahoo University Hack Day at the University of Waterloo in Ontario, Canada, last week.
"The Yahoo IMAP servers used by the Yahoo desktop don't support SSL and the password was being transmitted in plain text," Karau wrote in a blog post on Friday.
"What does this mean for you? If you use Zimbra to access your Yahoo mail, you almost certainly need to change your password and stop using Zimbra immediately (especially if you've ever done so over wireless)," he wrote.
Unsurprisingly, Karau's hack didn't place in the competition.
Read this
Flickr founder offers snapshot of Yahoo life
Having recently left Yahoo, Flickr's parent company, Stewart Butterfield shares his thoughts on the inner workings of the web giant and its romance with Microsoft
"In retrospect, it probably wasn't the best forum to bring up the security defects, but it was the most convenient," Karau said.
He notified Yahoo about the problem during his presentation but no-one seemed concerned, wrote Karau in a post on Zimbra Forums.
In a different post in that forum thread, a Zimbra representative wrote: "This problem has already been addressed in code, and fix is in the next release."
A Yahoo spokeswoman said she would check into the matter.
Credit: Yahoo's Zimbra e-mail program exposes passwords from CNET News
Did you find this article useful?
Digg
Slashdot
Del.ici.ous
Stumble
Reddit
