Anyone can access your Yahoo mail on iPhone
19th Jul 2007 | 23:00
Security firm finds iPhone, Yahoo email security problems
If you have a Yahoo email account and push email from it to your Apple iPhone, you may unknowingly be compromising your security, Tech.co.uk has learned.
With non-Yahoo email accounts, the Apple iPhone uses IMAP (Internet Mail Access Protocol) to push emails, which polls emails from the server so you need to wait to see new messages.
Yahoo does not provide a general IMAP service - they use IMAP only for iPhone access and although the iPhone supports TLS (Transport Layer Security), Yahoo! IMAP does not, which leads to a so-called replay attack. Such attacks makes you vulnerable as someone could be tricking the domain name server, pretending to be Yahoo's email server.
This could lead to anyone being able to eavesdrop on the email authentication exchange when your emails are pushed to your Apple iPhone, especially when using any open (public or private) Wi-Fi hotspot. The hacker can then gain full access to your email account until you change your password. Isode said on its website that it "would advise against using the Yahoo service with an iPhone, because of this security risk".
If Apple and Yahoo had supported TLS standards in this case, replay attacks wouldn't be possible, Cridland wrote on his blog . Or the two firms could have developed "some other proprietary mechanism that actually offered real security".
"But they didn't. Because they don't, apparently, give a flying fuck about basic security, standards, or indeed anything much other than how to look cool. I don't know why I'm so angry about this, given I don't own an Apple iPhone, but it's a further let-down from people who really ought to know better," Cridland wrote.
As it stands, the Apple iPhone uses the XYMPKI proprietary software developed by Apple and Yahoo. "Had Apple and Yahoo chosen to use the existing, open-standard, Lemonade protocol suite, this simply couldn't have happened," Cridland concluded.