MSGID: 2:221/1.58@fidonet 07d3e0e4
PID: OpenXP/5.0.57 (Win32)
CHRS: ASCII 1
TZUTC: -0400

cc: INTERNET, MOBILE, SECURITY, SN_INTEL

> https://www.kuketz-blog.de/mailbox-org-entdeckt- 
unverschluesselte-passwortuebertragung-in-mymail/
>
> Severe safety issue in mymail app found.


Google Translate yields --

 mailbox.org discovers unencrypted password transmission in myMail

The mailbox.org team recently discovered a critical
vulnerability in the myMail client for iOS, which leads to
unencrypted transmission of user passwords and emails.

mailbox.org became aware of the problem after customers pointed
out transmission errors in the user forum that occurred when
sending emails via the myMail client. After examining the logs,
the team found that the myMail app was attempting to transmit
passwords without the otherwise required TLS encryption . After
the connection was established, the app did not send the usual
STARTTLS-Kommando, but instead continued to transmit the user's
unencrypted login data. This enabled mailbox.org to extract or
read the passwords from the connection logs.

According to Peer Heinlein, managing director of mailbox.org,
their e-mail servers consistently reject such unencrypted
connections in order to ensure user security. This is the only
reason why the connection attempts of the myMail app failed, so
that users and postmasters of mailbox.org were taken aback.

This problem is not only relevant for mailbox.org customers: It
also represents a general security risk for all users who use
the myMail client. Content and passwords can be read and tapped
by third parties, especially if the users are in an open
network (e.g. WiFi airport, train, etc.). If other providers
allow unencrypted connections and are used in connection with
the current version of the myMail app, attackers can also read
the content of the unencrypted e-mails.

Therefore, mailbox.org strongly recommends not using the myMail
client in connection with their service or other e-mail
providers until the developers of the app have fixed the
security problems. There are numerous alternative email clients
that offer higher security standards and protect privacy
better. At the same time, the current incident once again
underlines the importance of communicating exclusively via
systems that are configured securely and enforce encryption.


--- OpenXP 5.0.57
 * Origin: A turtle that surfs the dark web. [o] A TORtoise (2:221/1.58)
SEEN-BY: 1/123 10/0 1 15/0 90/1 92/1 103/705 105/81 106/201 123/131
SEEN-BY: 129/305 153/7715 154/10 203/0 214/22 218/0 1 700 840 850
SEEN-BY: 218/860 880 221/1 6 360 226/30 227/114 229/110 112 113 206
SEEN-BY: 229/275 307 317 400 426 428 452 470 550 664 700 240/1120
SEEN-BY: 266/512 280/464 5003 282/1038 292/854 301/1 113 317/3 320/219
SEEN-BY: 322/757 342/200 396/45 423/81 460/58 633/280 712/848 5020/1042
PATH: 221/1 301/1 218/700 229/426