Yahoo Mail Security Flaw Exposes Passwords

A hacker working on a way to access Yahoo Mail via IMAP, recently discovered that Yahoo’s desktop e-mail client is sending your password as plain text. That’s bad news for those of you using the desktop client over public wifi connections, where just about anyone with the know-how can see your unencrypted traffic. Zimbra, creators […]

ZimbraA hacker working on a way to access Yahoo Mail via IMAP, recently discovered that Yahoo's desktop e-mail client is sending your password as plain text. That's bad news for those of you using the desktop client over public wifi connections, where just about anyone with the know-how can see your unencrypted traffic.

Zimbra, creators of what is now the Yahoo Mail desktop client, responded to the news by assuring users that a fix is already in the code and just needs to be pushed out. The problem however seems to be primarily on Yahoo's end, since the IMAP servers appear to refuse secure connections.

A Zimbra employee writes on the company's forum site:

This issue has been addressed from Yahoo mail server side and the patches have just been rolled out to all servers. We added related support in desktop client code and it's in the next release. Once we roll out the next release, server will phase out the old way of authentication. The new way of authentication will not send password over clear channels.

In the mean time we would suggest sticking with the web-based e-mail client when you're working on public or otherwise insecure internet connections.

See Also: