MSGID: 2:221/1.58@fidonet 07d3e0eb
PID: OpenXP/5.0.57 (Win32)
CHRS: ASCII 1
TZUTC: -0400

cc: INTERNET, MOBILE, SECURITY, SN_INTEL

> https://www.kuketz-blog.de/mailbox-org-entdeckt- 
unverschluesselte-passwortuebertragung-in-mymail/
>
> Severe safety issue in mymail app found.


Google Translate yields --

 mailbox.org discovers unencrypted password transmission in myMail

The mailbox.org team recently discovered a critical
vulnerability in the myMail client for iOS, which leads to
unencrypted transmission of user passwords and emails.

mailbox.org became aware of the problem after customers pointed
out transmission errors in the user forum that occurred when
sending emails via the myMail client. After examining the logs,
the team found that the myMail app was attempting to transmit
passwords without the otherwise required TLS encryption . After
the connection was established, the app did not send the usual
STARTTLS-Kommando, but instead continued to transmit the user's
unencrypted login data. This enabled mailbox.org to extract or
read the passwords from the connection logs.

According to Peer Heinlein, managing director of mailbox.org,
their e-mail servers consistently reject such unencrypted
connections in order to ensure user security. This is the only
reason why the connection attempts of the myMail app failed, so
that users and postmasters of mailbox.org were taken aback.

This problem is not only relevant for mailbox.org customers: It
also represents a general security risk for all users who use
the myMail client. Content and passwords can be read and tapped
by third parties, especially if the users are in an open
network (e.g. WiFi airport, train, etc.). If other providers
allow unencrypted connections and are used in connection with
the current version of the myMail app, attackers can also read
the content of the unencrypted e-mails.

Therefore, mailbox.org strongly recommends not using the myMail
client in connection with their service or other e-mail
providers until the developers of the app have fixed the
security problems. There are numerous alternative email clients
that offer higher security standards and protect privacy
better. At the same time, the current incident once again
underlines the importance of communicating exclusively via
systems that are configured securely and enforce encryption.


--- OpenXP 5.0.57
 * Origin:  (2:221/1.58)
SEEN-BY: 10/0 1 15/0 103/705 106/201 124/5016 153/757 7715 203/0 218/0
SEEN-BY: 218/1 700 221/1 6 360 226/30 227/114 229/110 112 113 307
SEEN-BY: 229/317 426 428 470 664 700 240/1120 266/512 280/464 292/854
SEEN-BY: 292/8125 301/1 310/31 317/3 320/219 341/66 234 396/45 423/81
SEEN-BY: 460/58 633/280 712/848 2320/105
PATH: 221/1 280/464 103/705 218/700 229/426