<<< Date Index >>>     <<< Thread Index >>>

Mac OS 10.4: new-account-wizzard in Mail 2.0 sends clear-text passwords



Hello there!

I reported this bug at 01-May-2005 09:21 PM CEST to Apples bug- reporting facility (Problem ID: 4104391) without reply yet.

Summary:
At its first use, Mail.app 2.0 will launch a new-account-wizzard that leads through the account-creation process. This wizzard asks for a name, a loginname, a password and then tries to validate these informations by loging in. In case ones ISP offers an IMAP server with normal IMAP (port 143) and IMAP over SSL (port 933) the wizzard uses the insecure IMAP to login and validate the settings. This happens _before_ it asks whether to use SSL or not. In this case, the only chance not to scream out a password while creating the first account is to use a wrong password or to disconnect from the internet.

Steps to Reproduce:
0. Make sure your email ISP provides IMAP and IMAP over SSL.
1. Launch Mail.app 2.0 the first time or use "File - Add Account..."
2. Create a new account, choose:
    Account Type: IMAP
    some account description
    your full name
    your email address
3. click "Continue"
4. Fill in:
    your incoming mail server
    your username
    your password
5. Launch some packet sniffing utillity (e.g. tcpdump, ngrep or something similar) to watch your inet device (especially ip port 143). 6. click "Continue". Mail.app will now validate your settings by logging in. It will use your IMAP without SSL by default and send your password clear-text through the net. Watch your packet sniffer. 7. On the next page you'll get asked whether to use SSL or not, but thats probably too late.

Expected Results:
The wizard should try to open a socket but don't log in, or ask whether to use SSL or not _before_ validating the account settings

Actual Results:
It opens a socket and logs in without giving the user the chance to activate SSL.

Notes:
* haven't tried this with POP and POPs
* maybe similar problems with SMTP-Auth if the SMTP server supports STARTTLS, but only AUTH PLAIN (and no AUTH CRAM-MD5) SASL authentication

Ciao!
mrks