Severity:
Moderate

Impact:
Zimbra Desktop users who use Yahoo! Mail within Zimbra Desktop.

Versions Affected:
Zimbra Desktop Beta 3 and earlier (Zimbra Collaboration Suite or ZCS is not affected)

Summary:
The current (and previous) versions of Zimbra Desktop transmit credentials unencrypted to Yahoo! IMAP servers if using a Yahoo Premium Account. This may allow a malicious user to discover your credentials if using the appropriate software, under certain conditions.

The upcoming release of Yahoo! Zimbra Desktop will use cookie based authentication when communicating with Yahoo! Mail IMAP service.

A cookie is generated over a secure channel (SSL), and then used for authentication with various Yahoo! services including IMAP. The type of cookies used by the Desktop client has a scope limited to mail and address book services, has a short validity window of 1 hour, and can be revoked by server.

No Yahoo! credentials will be sent over unencrypted connections in the upcoming release of Zimbra Desktop.

Action:
Most Zimbra Desktop users are unaffected. Only those connecting to Yahoo! Mail via Zimbra Desktop have the potential to be affected. Zimbra will send out an auto update when we release Beta 4 of Zimbra Desktop. Users who are uncomfortable with transmitting their credentials in clear text should follow the wiki article below to uninstall, and wait for the next release.


Uninstalling Zimbra Desktop

How to Report A Security Issue