[38748] in bugtraq
Mac OS 10.4: new-account-wizzard in Mail 2.0 sends clear-text passwords
daemon@ATHENA.MIT.EDU (=?ISO-8859-1?Q?Markus_W=F6rle?=)
Fri May 6 12:25:11 2005
Mime-Version: 1.0 (Apple Message framework v728)
Content-Transfer-Encoding: 7bit
Message-Id: <F1508E76-7597-4674-A370-1C6595B40C50@mrks.de>
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed
To: bugtraq@securityfocus.com
From: =?ISO-8859-1?Q?Markus_W=F6rle?= <mrks@mrks.de>
Date: Wed, 4 May 2005 21:27:59 +0200
Hello there!
I reported this bug at 01-May-2005 09:21 PM CEST to Apples bug-
reporting facility (Problem ID: 4104391) without reply yet.
Summary:
At its first use, Mail.app 2.0 will launch a new-account-wizzard that
leads through the account-creation process. This wizzard asks for a
name, a loginname, a password and then tries to validate these
informations by loging in. In case ones ISP offers an IMAP server
with normal IMAP (port 143) and IMAP over SSL (port 933) the wizzard
uses the insecure IMAP to login and validate the settings. This
happens _before_ it asks whether to use SSL or not. In this case, the
only chance not to scream out a password while creating the first
account is to use a wrong password or to disconnect from the internet.
Steps to Reproduce:
0. Make sure your email ISP provides IMAP and IMAP over SSL.
1. Launch Mail.app 2.0 the first time or use "File - Add Account..."
2. Create a new account, choose:
Account Type: IMAP
some account description
your full name
your email address
3. click "Continue"
4. Fill in:
your incoming mail server
your username
your password
5. Launch some packet sniffing utillity (e.g. tcpdump, ngrep or
something similar) to watch your inet device (especially ip port 143).
6. click "Continue". Mail.app will now validate your settings by
logging in. It will use your IMAP without SSL by default and send
your password clear-text through the net. Watch your packet sniffer.
7. On the next page you'll get asked whether to use SSL or not, but
thats probably too late.
Expected Results:
The wizard should try to open a socket but don't log in, or ask
whether to use SSL or not _before_ validating the account settings
Actual Results:
It opens a socket and logs in without giving the user the chance to
activate SSL.
Notes:
* haven't tried this with POP and POPs
* maybe similar problems with SMTP-Auth if the SMTP server supports
STARTTLS, but only AUTH PLAIN (and no AUTH CRAM-MD5) SASL authentication
Ciao!
mrks
