1. Forum
  2. FidoNet
  3. MOBILE

  • .

    From August Abolins@2:221/1.58 to All on Thursday, April 27, 2023 08:42:00

    cc: INTERNET, MOBILE, SECURITY, SN_INTEL

    https://www.kuketz-blog.de/mailbox-org-entdeckt-
    unverschluesselte-passwortuebertragung-in-mymail/

    Severe safety issue in mymail app found.


    Google Translate yields --

    mailbox.org discovers unencrypted password transmission in myMail

    The mailbox.org team recently discovered a critical
    vulnerability in the myMail client for iOS, which leads to
    unencrypted transmission of user passwords and emails.

    mailbox.org became aware of the problem after customers pointed
    out transmission errors in the user forum that occurred when
    sending emails via the myMail client. After examining the logs,
    the team found that the myMail app was attempting to transmit
    passwords without the otherwise required TLS encryption . After
    the connection was established, the app did not send the usual STARTTLS-Kommando, but instead continued to transmit the user's
    unencrypted login data. This enabled mailbox.org to extract or
    read the passwords from the connection logs.

    According to Peer Heinlein, managing director of mailbox.org,
    their e-mail servers consistently reject such unencrypted
    connections in order to ensure user security. This is the only
    reason why the connection attempts of the myMail app failed, so
    that users and postmasters of mailbox.org were taken aback.

    This problem is not only relevant for mailbox.org customers: It
    also represents a general security risk for all users who use
    the myMail client. Content and passwords can be read and tapped
    by third parties, especially if the users are in an open
    network (e.g. WiFi airport, train, etc.). If other providers
    allow unencrypted connections and are used in connection with
    the current version of the myMail app, attackers can also read
    the content of the unencrypted e-mails.

    Therefore, mailbox.org strongly recommends not using the myMail
    client in connection with their service or other e-mail
    providers until the developers of the app have fixed the
    security problems. There are numerous alternative email clients
    that offer higher security standards and protect privacy
    better. At the same time, the current incident once again
    underlines the importance of communicating exclusively via
    systems that are configured securely and enforce encryption.


    --- OpenXP 5.0.57
    * Origin: (2:221/1.58)