New Nokia Smartphones Leak E-mail Passwords 94
Noksu writes "Despite of the recent plunge in Nokia's profits, the company is doing well in the surveillance business. The infamous 'Lex Nokia' got ratified in Finland and the company has launched a massive Nokoscope research project for data gathering. In the meantime Nokia's new smartphones forward e-mail account credentials to a remote server. Surprisingly enough, this is done in HTTP request headers. The company has been informed, but there has not been an official statement yet. Time for class action suit in the US?"
Response from Nokia (Score:5, Interesting)
Nokias response [blogspot.com]
Re:Non-issue? (Score:3, Interesting)
If you setup an email on your Blackberry with BIS (not BES) then RIM has your credentials.
Why is it an issue now with only Nokia?
That's a good question. I'll give you my best guess at an answer, though a guess is all that it is.
I should say up front that I don't know very much at all about Blackberries. I will assume that what you said is correct, that a Blackberry with BIS presents the very same privacy issue because it shares username/password credentials with a third party. Thus, the privacy issues posed by predecessors like the Blackberry can be viewed as a mistake or at least as less-than-optimal. If it's a mistake, then there is no good reason why Nokia could not have learned from this previous example and designed their system in such a way that no third parties need to be trusted with confidential information.
It should be possible to equip the phone with a standard POP3/IMAP e-mail client. Logically, if a phone can have a Web browser it can also have such an e-mail client. Then the login credentials can be stored in the phone itself and the phone can use APOP, TLS, or SSL to communicate securely with the e-mail server. Then Nokia is merely the carrier and has no reason to ever see anyone's login credentials and those credentials are safe(r) from other eavesdroppers because they are not sent as plaintext. If these new Nokia phones could do that, then that would represent an improvement on the earlier example of the Blackberry.
The thing I don't understand is why anyone would ever design the system in such a way that a third party needs to be trusted with confidential information. It seems unnecessary. What benefit does this provide that absolutely cannot be arranged by an independent e-mail client that stores such information locally on the phone? I suppose that same question can be rephrased as "does server-push provide any benefit that client-pull with a reasonable polling time could not also provide?"
Re:Non-issue? (Score:3, Interesting)
Battery life. By having the Blackberry server push the email to your blackberry you save the battery time and bandwidth of checking your email every 10-15 minutes.
If you don't want them to have your password get a BES.
It starts to become a does $.002 ==
Re:Solution: (Score:1, Interesting)
just like when you login to slashdot or almost any other site that requires a login. Yep, your password is sent as an unencrypted URL parameter.
But it's an unencrypted password sent over an encrypted HTTPS channel (usually, hopefully), so it's not really "plain text".
Neither is worse nor better: headers, or URL parameters. Server code can just as easily read headers as it can URL params and save them to a database or whatever it wants. And so could a sniffer if it's not HTTPS.
You're basically saying that nearly every login that's ever been widely used on the web is idiotic. Of course using x509 certificate authentication or (questionably) NTLM and a few other more obscure alternatives exist.
The issue here is more ethical than insecure technology. It isn't about whether someone could steal your password from your phone or while it's on the way to Nokia (that is all properly secured, even during this process as HTTPS is used), but whether you want Nokia to have the password at all and use it on your behalf.
I personally would be ok with it, if I felt there was enough benefit in what it provided. I currently do the same thing with Emoze, another push mail service.
But I disagree if this really is the default and only option on new phones. To trust someone with the password to your personal email is a decision a user needs to be able to make for themselves and be clearly informed that Nokia will need their password to use the service.
How else to do push email? (Score:5, Interesting)
As commenters have already pointed out on those blog posts, push IMAP will require that Nokia stores your credentials on servers that check for your new email as a proxy.
This request is https. If, during setup, you asked for push IMAP, or any number of other imaginable features for your mail account, sending your credentials to a Nokia or wireless carrier server will be necessary.
Actually... if it's https... how the hell can this guy tell what the URL request is? Has he patched their email client to snitch?
Class action suit? (Score:3, Interesting)
A class-action lawsuit? Seriously?
Americans are crazy. One guy with a blog has discovered a security flaw. There has been no exploit for this flaw. Nobody is complaining that they've lost anything. What's more, this "issue" can be fixed with a firmware update. But no! Our sense of entitlement tells us that this is another opportunity to take a bunch of money out of the pockets of an eeeeeeeeeevvil corporation ... and put it into the pockets of a bunch of lawyers. Awesome.
I love the part where Nokia hasn't even issued a response yet, and we interpret that as more reason to sue. Awesome.
Every other post on Slashdot seems to be decrying how messed-up the system is in this country, and then the next post comes along demanding that we shovel more coal into the fires. Get your heads straight, please.
Re:Non-issue? (Score:4, Interesting)
I know very well how Nokia Messaging works because I use it. This is their new email client that is now being shipped on recent higher-end phone(s), or that can be downloaded/installed on older models. It is made to compete with Blackberry services which work the same way.
You can complete its setup over the web - you go to http://email.nokia.com/ [nokia.com] enter IMAP/POP server name/username/password and add up to 10 accounts to your main Nokia account.
Alternatively, you can do these steps on the phone itself, which is what the OP described.
You then run Nokia Messaging on your phone, enter your master credentials and have access to all of your accounts.
This is how this service is designed. You may think it's not prudent to give Nokia your credentials, but this is how this service is designed and there are reasons for doing it this way.
Claiming there is some conspiracy is silly.