New Nokia Smartphones Leak E-mail Passwords 94
Noksu writes "Despite of the recent plunge in Nokia's profits, the company is doing well in the surveillance business. The infamous 'Lex Nokia' got ratified in Finland and the company has launched a massive Nokoscope research project for data gathering. In the meantime Nokia's new smartphones forward e-mail account credentials to a remote server. Surprisingly enough, this is done in HTTP request headers. The company has been informed, but there has not been an official statement yet. Time for class action suit in the US?"
Solution: (Score:5, Funny)
Don't use 'GET /', 'HTTP/1.0', or 'user-agent' as your password, and you will be much less likely to have your password submitted automatically by an HTTP client program.
Re:Solution: (Score:5, Informative)
Hell, what if you use a ?, & or a # in your password? Something tells me they probably didn't do a url encode.
Although you could have some fun with dumb snoopers out there.
Just make your password:
https://ccds.serviceactivation.ext.nokia.com:443/api/v1/rest/?operation=ccds.provider.determineAccount&applicationCode=email&
address=test.user@mycompany.com&password=topsecret&
mcc=244&mnc=91&carrier=sonera
So the request would be:
https://ccds.serviceactivation.ext.nokia.com:443/api/v1/rest/?operation=ccds.provider.determineAccount&applicationCode=email&
address=test.user@mycompany.com&password=https://ccds.serviceactivation.ext.nokia.com:443/api/v1/rest/?operation=ccds.provider.determineAccount&applicationCode=email&
address=test.user@mycompany.com&password=topsecret&
mcc=244&mnc=91&carrier=sonera&
mcc=244&mnc=91&carrier=sonera
Re:Solution: (Score:4, Insightful)
Re: (Score:2)
If it's HTTPS, those URL parameters are not transmitted in the clear.
Or am I horribly mistaken? I hope not. Please let me be right?
Re:Solution: (Score:4, Insightful)
In the clear? No.
In apache access logs? muahahah....
they aren't using Apache (Score:1)
Re: (Score:1, Interesting)
just like when you login to slashdot or almost any other site that requires a login. Yep, your password is sent as an unencrypted URL parameter.
But it's an unencrypted password sent over an encrypted HTTPS channel (usually, hopefully), so it's not really "plain text".
Neither is worse nor better: headers, or URL parameters. Server code can just as easily read headers as it can URL params and save them to a database or whatever it wants. And so could a sniffer if it's not HTTPS.
You're basically saying that ne
Re: (Score:2)
Response from Nokia (Score:5, Interesting)
Nokias response [blogspot.com]
Re: (Score:2)
Straight out of Public Relations 101. [consumerist.com]
Re: (Score:2)
Re: (Score:2)
Ummm, how about Exchange ActiveSync DirectPush directly from your company's Exchange server, no middlemen involved? Or IMAP IDLE? You could argue that it's less efficient, but maybe you don't want to hand over your password to Nokia.
I presume that the phone has a Web browser. So, it may make sense to use a Web mail service with this phone. That way, the username/password credentials are encrypted via SSL and are never given to Nokia's servers. I realize that the issue mentioned in the summary also involves SSL-encrypted HTTP requests, though that is the method of transport by which the credentials are given to Noka.
I don't personally use Gmail because I am not fond of how easily this allows Google to collect information about me
Re: (Score:2)
In what way does connecting to my personal IMAP server require sending my password to Nokia?
Esp. as the workaround is to use the wrong password while using the wizard and change it afterwards.
rtard
Non-issue? (Score:4, Informative)
This isn't really an issue, is it?
Yes, it sends credentials through to Nokia, but it does _not_ use an un-encrypted HTTP connection to do it. It uses SSL/HTTPS. It's also _not_ done in HTTP Header messages, it's going through in the GET request.
*shrug*
Re:Non-issue? (Score:5, Insightful)
I guess Nokia getting your email account credentials isn't an issue for you.
Re:Non-issue? (Score:5, Insightful)
If you setup an email on your Blackberry with BIS (not BES) then RIM has your credentials.
Why is it an issue now with only Nokia?
Re: (Score:1, Informative)
Exactly..
Nokia system works the same way - you create a master account at Nokia, which holds your credentials for other email accounts.
Mobile email client then talks to Nokia servers who talk to all of your mailboxes.
This article is not news.
Comment removed (Score:5, Informative)
Re:Non-issue? (Score:4, Interesting)
I know very well how Nokia Messaging works because I use it. This is their new email client that is now being shipped on recent higher-end phone(s), or that can be downloaded/installed on older models. It is made to compete with Blackberry services which work the same way.
You can complete its setup over the web - you go to http://email.nokia.com/ [nokia.com] enter IMAP/POP server name/username/password and add up to 10 accounts to your main Nokia account.
Alternatively, you can do these steps on the phone itself, which is what the OP described.
You then run Nokia Messaging on your phone, enter your master credentials and have access to all of your accounts.
This is how this service is designed. You may think it's not prudent to give Nokia your credentials, but this is how this service is designed and there are reasons for doing it this way.
Claiming there is some conspiracy is silly.
Re: (Score:2)
It's called buying the right device for your needs.
You don't go out and buy a hammer and complain it doesn't work well removing screws.
If you want a device to check your email directly, then you should probably buy a device that can check your email directly.
These devices do not work that way, so sound like the wrong choice if that is what you need.
There are plenty of devices on the market that can check email directly and don't require their own server component in between. This person should be looking a
Re: (Score:1)
I've never used BIS (or BES) so I'm not sure. But why would any email client need to pass the credentials it has to a third party to connect to a POP/IMAP server? If RIM is doing the same thing, then they should be called on it as well.
This is no different than if Outlook sent your credentials to MS, or Thunderbird sent them to Mozilla.
Re:Non-issue? (Score:5, Informative)
Basically their (RIM, etc) server will check for email, download it, compress it, then push it to your device.
So if you have 10 email accounts rather than your device constantly checking each one, wasting data and battery life, the server does all that work and you get push email functionality.
Re: (Score:2)
They do it because the blackberry has no real mail client. It is all done via some mess involving RIMs servers to get your mail for you.
This is because the kind of people who use these devices have no idea how any of it works, they think it is all magic.
Re:Non-issue? (Score:5, Informative)
Re: (Score:1)
I have no info about BIS and I never used BlackBerry, but it sounds similar to what I observed Opera Mini doing.
However, doesn't IMAP already "push" you information when you get new email into your inbox? And, how is it possible for the device to get the mail if it doesn't keep an open connection to the server? The only other way is polling... and that's not push mail, that's standard POP mail.
I honestly don't know what could be so different about BIS.
So, please tell me: what's so different compared to IMAP
Re: (Score:1)
Too bad you posted as AC, I hope you notice this:
Why are you not worried that Nokia is unnecessarily collecting your username and password without your knowledge? Shouldn't your data stay on your device?
From what I gathered, Nokia Messaging doesn't do anything differently from standard clients ... except that it includes a wizard that allows you to more easily configure your account. And it does so by collecting your username and password; why?
Re: (Score:1)
Ahh, didn't realize that this is how RIM's "push" email worked. Even still, according to the articles on the blog, this is not Nokia's Messaging server, just their basic POP/IMAP client. So again, Nokia shouldn't need it.
Re: (Score:3, Interesting)
If you setup an email on your Blackberry with BIS (not BES) then RIM has your credentials.
Why is it an issue now with only Nokia?
That's a good question. I'll give you my best guess at an answer, though a guess is all that it is.
I should say up front that I don't know very much at all about Blackberries. I will assume that what you said is correct, that a Blackberry with BIS presents the very same privacy issue because it shares username/password credentials with a third party. Thus, the privacy issues posed by predecessors like the Blackberry can be viewed as a mistake or at least as less-than-optimal. If it's a mistake, then
Re: (Score:1)
It was more of a rhetorical question.
Re: (Score:2)
It was more of a rhetorical question.
You may have intended it that way, yes. That's the funny thing about posting in public forums -- people may respond in all sorts of ways, even those you did not intend! Okay, I'm being facetious. Seriously though, rhetorical questions are much more effective when the answer is obvious or assumed. They tend to fall apart when there are multiple answers and multiple viewpoints from which those answers can come.
I'm responding this way because you're frankly coming across as rather smug. It's as though
Re: (Score:3, Interesting)
Battery life. By having
Re: (Score:2, Informative)
IMAP, on a properly written client, in online mode, keeps the connection open and the server notifies the client when new messages arrive.
Nokias aren't Blackberry (Score:2)
Well, that's the reason many people don't buy Blackberry phones. Nokia used to be different. But apparently Nokia phones are off the table as well now for anybody who cares about security.
And why does it matter? Because once the password is sent in plain text anywhere, you have no control over it. It likely gets stored in Nokias server logs and on their backup tapes. Nokia employees can access it. Police can subpoena it. Intruders can sniff it. Etc.
Re: (Score:2)
Or Google. Or Microsoft. Or any other e-mail-service-provider.
First thing I did on my phone, was install my own PIM- and communication suite. I would have loved to replace the OS, but this is still a bit of a rocky ride. Too rocky for a new phone with guarantee.
An issue. (Score:2)
RTFBP again. He's not using any proxy server or messaging depot--he's going to connect directly to his company's mail server, and not have Nokia cache the email for him.
Why does Nokia need a copy of his credentials in that case?
(They don't.)
Re: (Score:1)
RTFBP again. He's not using any proxy server or messaging depot
Wrong, he is using Nokia Messaging, which is a service Nokia provides. This is what the "wizard" is all about.
Re: (Score:3, Informative)
nope [slashdot.org].
At least that was very clearly not his intention
Re: (Score:2, Redundant)
OK, so it isn't Nokia Messaging, it is the new wizard application, which checks that your credentials are valid by actually logging into the e-mail account, and if there are problems, alerts you to check your credentials instead of creating the account on your phone. While it would have been nice to get a warning that the wizard is doing that via a Nokia server, it is still not such a big deal.
Re:An issue. (Score:5, Insightful)
it is still not such a big deal.
Not a big deal to have your credentials sent to a third party? What if Nokia's wizard used a Finnish government server instead?
What if a Chinese-made phone was sending username/password to a Chinese government server?
What if Antti Järjestelmävalvojanen, a (fictitious) Nokia network admin, starts storing them on his thumb drive?
A few details I forgot: (Score:5, Informative)
Subby here: To clarify some things: this issue is on Nokia Messaging client. The only device (AFAIK) that currently ships with Nokia Messaging is E75. The older models use the old email/messaging software, that has nothing to do with Nokia Messaging service.
I haven't checked how Nokia markets the Nokia Messaging service/client nowadays, but originally it was marketed as a service (the email proxy) and accompanying client, and you couldn't even use the client without the proxy service.
Apparently this has changed now when E75 ships without the original standalone email client.
So, E71 (or any other Nokia phone except E75) does not have this issue unless you have downloaded the separate Nokia Messaging software and use that for reading mail.
Re:A few details I forgot: (Score:5, Informative)
According to the bloggers followup [blogspot.com], at least three models are affected:
5800 (20.0.0.12)
N79 (11.049)
E75 (110.48.78)
Also from the followup:
Yes, I know there is a solution called Nokia Messaging (read more from here), but maybe I wasn't clear enough in my initial post: I am configuring direct IMAP/POP access to my own/company/organization/whatever email service and I am not using nor planning to use Nokia's messaging proxy.
Re:A few details I forgot: (Score:4, Informative)
I'm on the server software team, so I'm not completely sure about the client - but as I understand it, the client's hitting our CCDS server to save you the step of putting in server names / ports /etc. The service was written for Nokia Messaging, and is used there, but is also valid for the client to configure its built-in client.
Re: (Score:2)
Hmm... how can it know the server name / port / etc, if I for example have
some.person@secure-server.tld,
and the server would be something like
ssmtp://some.person:super-secret_password@mail.not-in-mx.secure-server.tld:39482?
By the way: Why not just let users enter such an url?
Re: (Score:2)
And don't tell me "because the're too stupid and it is too irrelevant". The same was true for HTTP URLs in the beginning of the WWW. People learned it anyway. If you can do math at school and drive a car, stop whining and learn how to enter a damn URL! ^^
Re: (Score:2)
How often haveyou seen average people typing mor complicated urls than www.google.com? most of them are too stupid to find the navigation bar and eat the shit of whatever search bar or start page is provided on their computer for whatever reason.
Re: (Score:1)
...and why isn't domain name (e.g. "gmail.com") sufficient for this autoconfiguration step? That is, why is the username + password needed?
Only reason I can guess is "ok, let's get Nokia's server to try logging into mail.domain.com, then pop.mail.com, then imap.domain.com, then domain.com, and then give up" but ... in that case user should explicitly mark a checkbox "Send my user credentials to Nokia for autoconfiguration".
Can you elaborate why it isn't so?
PS Otherwise this service would be a great idea .
sneaky.. (Score:5, Funny)
Re:sneaky.. (Score:5, Funny)
Re: (Score:1)
No, it's Captain Obvious [wikia.com] to the rescue! :)
sounds like (Score:5, Funny)
Re:sounds like (Score:4, Funny)
Re: (Score:2)
I believe they do.
If they wrote mail clients that did IMAP Idle this would not ever need to be done, or at least very rarely.
Re: (Score:2)
Which means that AT&T is doing exactly the same as Nokia is doing -- getting the unencrypted passwords of their customer's third party email accounts.
More amateurish BS from Nokia (Score:1, Insightful)
I'm not surprised that the amateurs at Nokia would do this. The S60 platform on the whole seems like a throwback to the early 2000's, back when smartphone users were a marginalized bunch who would put up with niggling annoyances as long as they could receive email on their devices. If the iPhone OS is pretty much OS X on a phone, then S60 is like running Windows 98 on your phone.
I'm pretty much convinced that anyone using a Nokia smartphone right now is a masochist. My experience with an E71 has been horren
Re: (Score:3, Insightful)
The new "Mail by Nokia" system is hilariously crappy. They want you to give them the logins to your mail accounts, then they retrieve your email. Why would anyone do this?
Probably for the same reason that people let Gmail do this [google.com].
Re: (Score:2)
Works for Blackberry too.
How else to do push email? (Score:5, Interesting)
As commenters have already pointed out on those blog posts, push IMAP will require that Nokia stores your credentials on servers that check for your new email as a proxy.
This request is https. If, during setup, you asked for push IMAP, or any number of other imaginable features for your mail account, sending your credentials to a Nokia or wireless carrier server will be necessary.
Actually... if it's https... how the hell can this guy tell what the URL request is? Has he patched their email client to snitch?
Re: (Score:2, Insightful)
This request is https. If, during setup, you asked for push IMAP, or any number of other imaginable features for your mail account, sending your credentials to a Nokia or wireless carrier server will be necessary.
Not only have you not RTFA but you haven't bothered to read the previous Slashdot comments. He is NOT using push email and he intercepted the communications on his own network using Webscarab and Wireshark. Nokia are only providing the comms terminal and have neither the need or the right to know his password or account details.
Re: (Score:2)
So, https doesn't encrypt the URL request? I thought the only thing visible to a MitM is the domain.
Re: (Score:2)
Thank you. Thought I was going crazy for a second.
The Real Reason (Score:1)
Excellent. (Score:2)
Now that I know it's only Nokia, I don't have to throw away my perfectly good, still functioning, non-leaking, 6 YEAR old SAMSUNG cellphone.
I was getting worried.
inexcusable (Score:1, Flamebait)
Even Microsoft hasn't sunk to that level of incompetence and blatant violation of user privacy. Transmitting the user's password to a third party server in plain text over an unencrypted link is inexcusable.
I have several Nokia phones; obviously, I need to get rid of them. If they make such a fundamental mistake, Nokia obviously cannot be trusted with anything.
Fortunately, with Android, we now have a reasonable alternative.
Re: (Score:2)
Is it unencrypted? You can have unencrypted https connections, but one would assume they would encrypt it. ...you did catch that s after the http in the url?
No, what you should be concerned about is that it's being transmitted at all, since it's not required for the operation of the phone!
Re: (Score:2)
I have several Nokia phones; obviously, I need to get rid of them. If they make such a fundamental mistake, Nokia obviously cannot be trusted with anything.
The nGage should have been hint enough that there's something basic Nokia lacks, but this particular service is implemented sanely (encrypted, actually usefull and all that). Remember, never trust the edit summary.
Class action suit? (Score:3, Interesting)
A class-action lawsuit? Seriously?
Americans are crazy. One guy with a blog has discovered a security flaw. There has been no exploit for this flaw. Nobody is complaining that they've lost anything. What's more, this "issue" can be fixed with a firmware update. But no! Our sense of entitlement tells us that this is another opportunity to take a bunch of money out of the pockets of an eeeeeeeeeevvil corporation ... and put it into the pockets of a bunch of lawyers. Awesome.
I love the part where Nokia hasn't even issued a response yet, and we interpret that as more reason to sue. Awesome.
Every other post on Slashdot seems to be decrying how messed-up the system is in this country, and then the next post comes along demanding that we shovel more coal into the fires. Get your heads straight, please.
Re: (Score:2)
Stupid, (Score:2)
This is the price you pay for "push" e-mail on most mobile devices.
Instead of having the phone constantly connected, polling and costing money in data bills, the network does it at their end, and can then notify the phone using some GSM jiggerypokery.
FUD.
Give me a break... (Score:3, Informative)
Here's to sensationalism and mis-representation.
Nokoscope was not started by Nokia, but a one or two developers who happen to work for Nokia. It is not an official Nokia project, nor will it ever be, nor is it 'massive'. It will never be installed by default on any Nokia device.