mailbox.org has discovered a critical vulnerability in the myMail client for iOS, which is used by millions. Since the password transmission takes place unencrypted, this endangers the users. The vulnerability was discovered by accident because an error message was found in the TLS logs. The experts were then able to extract the passwords.
The mailbox.org team, the Berlin-based e-mail service specializing in data protection and data security, has discovered a critical security vulnerability in the myMail client for iOS that leads to unencrypted transmission of user passwords and e-mails. mailbox.org first published a corresponding warning to the users of myMail on his blog together with the security researcher Mike Kuketz.
Vulnerability reveals the passwords
The security experts at mailbox.org became aware of the security gap after customers in the mailbox.org user forum pointed out transmission errors when sending emails via the myMail client. After a thorough examination of the logs, the team discovered that the myMail app is trying to transmit passwords unsecured without the otherwise required TLS encryption, which poses a huge security risk. The mailbox.org team was thus also able to extract user passwords from the connections.
According to Peer Heinlein, Managing Director of mailbox.org, their servers generally reject unencrypted connections in order to ensure user security. This is the only reason why the incorrect connection attempts of the myMail app failed, so that mailbox.org users and postmasters became suspicious.
myMail client: Incorrect or no TLS encryption
This problem is not only relevant for mailbox.org customers: It also represents a general security risk for all users who use the myMail client. If other providers allow unencrypted connections and the myMail app continues to work, third parties could steal passwords or read the content of the unencrypted e-mails if they are sent via the myMail client, especially if users are in a open network.
The mailbox.org team strongly recommends not using the myMail client in connection with their service or other e-mail providers until the security problems have been resolved. There are numerous alternative email clients that offer higher security standards and better protection of user privacy. At the same time, the current incident shows once again how important it is to communicate exclusively via systems that are configured securely and enforce encryption.
More at mailbox.org
Via mailbox.org
The German e-mail specialist mailbox.org shows that digital sovereignty, security and data protection can also be combined with convenience and extensive features. In addition to classic e-mail core functions, security-conscious private and business customers also receive a calendar, address book, task management, online word processing and cloud storage based on an open source solution.
Matching articles on the topic