Apple Mail New Account Wizard May Disclose Passwords Via the Network
SecurityTracker Alert ID: 1013915|
SecurityTracker URL: http://securitytracker.com/id/1013915
(Links to External Site)
Date: May 9 2005
Disclosure of authentication information|
Exploit Included: Yes |
A vulnerability was reported in Apple Mail in the new account wizard. The system may send a password over the network in plain text form.|
When creating a new user account for an IMAP mail server where both SSL and non-SSL IMAP services are available, the wizard will attempt to login using the non-SSL IMAP service (port 143) before asking the user whether SSL should be used or not. As a result, the IMAP password will be transmitted over the network in plain text.
The vendor was notified on May 1, 2005, without reply.
Markus Woerle (mrks) reported this vulnerability.
The user's IMAP password will be transmitted over the network in plain text.|
No solution was available at the time of this entry.|
Vendor URL: www.apple.com/ (Links to External Site)
Access control error, State error|
|Underlying OS: UNIX (macOS/OS X)|
Source Message Contents
Subject: Mac OS 10.4: new-account-wizzard in Mail 2.0 sends clear-text passwords|
I reported this bug at 01-May-2005 09:21 PM CEST to Apples bug-
reporting facility (Problem ID: 4104391) without reply yet.
At its first use, Mail.app 2.0 will launch a new-account-wizzard that
leads through the account-creation process. This wizzard asks for a
name, a loginname, a password and then tries to validate these
informations by loging in. In case ones ISP offers an IMAP server
with normal IMAP (port 143) and IMAP over SSL (port 933) the wizzard
uses the insecure IMAP to login and validate the settings. This
happens _before_ it asks whether to use SSL or not. In this case, the
only chance not to scream out a password while creating the first
account is to use a wrong password or to disconnect from the internet.
Steps to Reproduce:
0. Make sure your email ISP provides IMAP and IMAP over SSL.
1. Launch Mail.app 2.0 the first time or use "File - Add Account..."
2. Create a new account, choose:
Account Type: IMAP
some account description
your full name
your email address
3. click "Continue"
4. Fill in:
your incoming mail server
5. Launch some packet sniffing utillity (e.g. tcpdump, ngrep or
something similar) to watch your inet device (especially ip port 143).
6. click "Continue". Mail.app will now validate your settings by
logging in. It will use your IMAP without SSL by default and send
your password clear-text through the net. Watch your packet sniffer.
7. On the next page you'll get asked whether to use SSL or not, but
thats probably too late.
The wizard should try to open a socket but don't log in, or ask
whether to use SSL or not _before_ validating the account settings
It opens a socket and logs in without giving the user the chance to
* haven't tried this with POP and POPs
* maybe similar problems with SMTP-Auth if the SMTP server supports
STARTTLS, but only AUTH PLAIN (and no AUTH CRAM-MD5) SASL authentication