Zimbra Desktop sends Yahoo password in the clear (not secure)

[Morac]

Slashdot article about the security issue

Zimbra is sending Yahoo username and passwords in the clear (ie: not encrypted) when syncing with Yahoo Mail. In other words, you shouldn't use Zimbra Desktop to check for Yahoo mail on a public network and I'd be wary to do so even on a private one.

Please have Zimbra log in using secure IMAP.

[jjzhuang]

This problem has already been addressed in code, and fix is in the next release.

[holden]

Why wasn't SSL enabled in the first place?
Also, I find it a bit odd that its fixed in your code base, when I attempted to connect using SSL with the Yahoo IMAP servers they promptly hung up on me, are there some changes to be rolled out to the Yahoo IMAP servers as well?
(or have you gone to even greater lengths to obfuscate the IMAP connection between Zimbra & Yahoo to keep third parties out)?

[jholder]

Quote:

Originally Posted by holden

Why wasn't SSL enabled in the first place?
Also, I find it a bit odd that its fixed in your code base, when I attempted to connect using SSL with the Yahoo IMAP servers they promptly hung up on me, are there some changes to be rolled out to the Yahoo IMAP servers as well?
(or have you gone to even greater lengths to obfuscate the IMAP connection between Zimbra & Yahoo to keep third parties out)?

I find it odd that someone would post a blog entry, and then submit it to slashdot to create sensationalism.

Responsible engineers notify the company first, Holden, of their concern. As JJ said, this issue has been addressed, and we are taking appropriate action.

[Baylink]

Quote:

Originally Posted by holden

Also, I find it a bit odd that its fixed in your code base, when I attempted to connect using SSL with the Yahoo IMAP servers they promptly hung up on me

Well, *that* sort of suggests that the problem is that Yahoo's IMAP servers don't support SSL, doesn't it?

That's not Zimbra's fault, now is it?

Did you *write* the misleading /. summary?


Yes, I see that you did. Moron.

[holden]

Quote:

Originally Posted by Baylink

Well, *that* sort of suggests that the problem is that Yahoo's IMAP servers don't support SSL, doesn't it?

That's not Zimbra's fault, now is it?

Did you *write* the misleading /. summary?


Yes, I see that you did. Moron.

I never intended to place blame specifically on Zimbra or Yahoo, they are same company now no? The problem only occures with Zimbra since the IMAP server isn't available to anyone else (well shouldn't be available to anyone else, its fairly easy to trick the IMAP server into to talking to you, but at that point you've taken the seatbelt of so what happens isn't really Yahoo's problem).

[holden]

Quote:

Originally Posted by jholder

I find it odd that someone would post a blog entry, and then submit it to slashdot to create sensationalism.

Responsible engineers notify the company first, Holden, of their concern. As JJ said, this issue has been addressed, and we are taking appropriate action.

As my blog post states I notified Yahoo! during my "hacku" presentation. They didn't seem concerned, nor did they talk with me afterwords. Regardless, users need to be informed of this since it exposes there account information, and they should take steps to avoid this (like not using Zimbra over wireless until the fix is in). I find the suggestion that I'm not responsible, a little harsh. I fail to see the sensationalism, in my blog post or in the slashdot story, perhaps I am just blinded by my interest in this matter.

Rather than brushing me off complaining about a lack of encryption, I think it would have been a better course of action for Yahoo!/Zimbra to publicly disclosed this information to its users after I informed them, and switched the IMAP servers to require SSL to get people to download an update. Then everyone is happy (except for the bad guys).

Any chance of having my other questions answered about the Yahoo IMAP servers? I realize its a bit of loaded question, but it would be cool if I could still use Yahoo IMAP servers for my anti-spam project, if not I understand the business reasons behind it (gotta make money for those pro-accounts).

Regardless, lets be civil, hot tempers are never a good thing. If we're in the same city sometime soon give me a shout, I'll buy you a pint of beer

[jholder]

Okay, I'll buy that. Yahoo is a big place, and it's possible that who ever you reported it to, it never got to us.

Zimbra takes security very very seriously. As a matter of fact, many of the products that we use in Zimbra, we use specifically because their competition have security issues.

Considering this issue was reported this morning, we have had little time to post an update, etc.

Zimbra Desktop has an auto-update feature, so when we release the update, all users will be informed.

We don't believe this to be your fault, obviously. We live in a world where security should be #1 for software vendors. For us, it is. A simple yahoo/google search would have brought up how to report security issues.

However, whoever your mentioned it to, should have brought it to our attention, and we're sorry they didn't.

Holden, thanks for reporting this, if you pvt me your address, we'll send you a shirt.

(PS you'll be sending your address in clear text )

[Baylink]

You weren't civil (that was not especially a civil act -- based as it was on the fact that you apparently don't realize that no, Zimbra Desktop users are *not* the only people who can access Yahoomail via IMAP, and that hasn't been true for *at least* two years), so why should we be?

I do think it's his fault, John; Zimbra is, effectively, so far as *I* can tell, a subsidiary of Yahoo mail -- I wouldn't be surprised if any given Zimbra employee needed to ask around to get in touch with any given Yahoomail employee, special case for ZD or not.

I'm not a cheerleader for Zimbra -- you can make your own decisions about that from the 36 bugs I filed last week; clearly I don't think Z is perfect. But I do think that -- unless you made some other attempts you haven't mentioned between mentioning to people at a hack day who weren't in the chain of command and posting it to frickin' Slashdot -- you could probably have chosen, at the very least, slightly less inflammatory language to discuss it in.

[holden]

Quote:

Originally Posted by Baylink

You weren't civil (that was not especially a civil act -- based as it was on the fact that you apparently don't realize that no, Zimbra Desktop users are *not* the only people who can access Yahoomail via IMAP, and that hasn't been true for *at least* two years), so why should we be?

Really? Perhaps I'm missing something, when I connected to the Yahoo IMAP servers I had to send an ID saying I was Zimbra before they would let me authenticate. I also talked to the Yahoo! people at the hack day, and they said that Yahoo! didn't offer IMAP support. I didn't just use only my code to do this, I also attempted it in evolution since I figured my IMAP implementation could be a bit off. Perhaps I missed something incredibly obvious (does happen from time to time). I'd be very interested in knowing what the correct IMAP settings are, rather than my reverse engineered ones since that would help with a project I am working on. Could you provide a pointer to that? It would be greatly appreciated, thanks

I'm under the impression that I was reasonably civil, but we often have better opinions of our own behavior.

As to why you should be civil in general, I can't really make a good argument for that but it certainly would make this discussion easier.

Quote:

Originally Posted by Baylink

I do think it's his fault, John; Zimbra is, effectively, so far as *I* can tell, a subsidiary of Yahoo mail -- I wouldn't be surprised if any given Zimbra employee needed to ask around to get in touch with any given Yahoomail employee, special case for ZD or not.

I'm not trying to place blame on Zimbra. My goal was to get this fixed. Perhaps Yahoo! was not the people to talk to, but they were sitting right across from me, and it was for Yahoo!'s IMAP servers so I figured they would be a reasonable group to talk to.

Quote:

Originally Posted by Baylink

I'm not a cheerleader for Zimbra -- you can make your own decisions about that from the 36 bugs I filed last week; clearly I don't think Z is perfect. But I do think that -- unless you made some other attempts you haven't mentioned between mentioning to people at a hack day who weren't in the chain of command and posting it to frickin' Slashdot, that you could probably have chosen, at the very least, slightly less inflammatory language to discuss it in.

Not in the chain of command? Maybe I don't understand how this works, but they were on the dev side of Yahoo! (not like HR or ops). If they had asked me to talk to someone specific at Zimbra I certainly would have, but they were just uninterested. If you feel that my blog post was uncalled for, I would respectfully disagree, but I think this is one of those situations where neither of us will convince the other, so agreeing to disagree may be the best course of action?