my.com “MyMail” disaster: when security and privacy become marketing gags

source: https://flic.kr/p/6S4DJf, cc-by-2.0

source: https://flic.kr/p/6S4DJf, cc-by-2.0

The internet is a constantly evolving agglomeration of excellent, mediocre and weird ideas. As it seems, my.com [1] seems to have taken the weird path for their MyMail app, an iOS and Android email application claiming to “Focus on what’s important” [2]

Well, tell me, what do you think, are security and privacy important for anybody using email for communication? You would guess so.

Contrary to what my.com claims, a recent security audit on one of our mail servers revealed the following terrifying things:

Suspicious activity

Somewhen in autumn 2015 we detected “suspicious” accesses for some customer email accounts. Two things triggered an alert:

  • Emails for customers knowing to reside in the European Union were suddenly fetched from and/or sent by servers in the Russian Federation
  • Coincidentally, both SMTP and IMAP/POP3 logins were suddenly taking place without any encryption using PLAIN authentication
Feb 04 08:33:17 noreia dovecot: imap-login: Login: user=<xxxx>,
method=PLAIN, rip=185.30.177.45, lip=172.17.33.1, mpid=44298,
session=<xxxxxx>

Among a couple of others that we saw, 185.30.177.45 is an IP assigned to Mail.Ru, one of Russias biggest email providers.

Being the most simple, stone age authentication method, PLAIN authentication means that passwords are sent over the wires completely unencrypted. With extremely minimal effort anybody – anybody! – can intercept passwords sent like that without getting noticed. This is pretty much like “hiding” your car keys by putting them on the roof of your car. It is almost like inviting anybody to take them.

For many years, PLAIN authentication has been marked as only tolerable, when the traffic itself is encrypted. But in our case, not even that does happen, no TLS handshake or whatever.

Up to this point, we were afraid, that some account data had leaked and spammers or hackers were abusing customer mail accounts, but how wrong we were …

Cross checking with SMTP logs for the affected user accounts, we found this

Feb 1 18:09:08 marathon postfix/smtpd[74012]: connect from f32.my.com[185.30.177.94]
Feb 1 18:09:08 marathon postfix/smtpd[74012]: XXXXXXXXXXX: 
  client=f32.my.com[185.30.177.94], sasl_method=PLAIN, sasl_username=xxxx

Yet another IP address registered for Mail.Ru and yet again PLAIN password authentication without any transport encryption. Its hostname “f32.my.com” then rang a bell. When talking to one of the affected customers, it became clear that she recently started to use my.com’s MyMail app on her Android tablet.

Plaintext rules the MyMail world

So, let me summarize: Some of our customers apparently are using the MyMail app from my.com, that was bought by Russian based Mail.Ru in 2012. When adding an account in the app, the following appears to happen:

  • your account credentials are transferred to a server in the Russian Federation
  • email is received not directly on your device, instead Russian servers retrieve your Email, sending your PLAIN text credentials over the wires
  • email is sent not directly from your device, instead it is transferred to a Russian server that sends it unencrypted using your again completely unencrypted account credentials

In other words:

Anybody with access to those Russian based servers has access to every detail of your mailbox. Unfortunately, in our post-Snowden world, this is not paranoid, but completely expected.

Anybody, with extremely trivial means, can gain access to your account credentials because they are sent in plain text over unencrypted channels.

Anybody, with extremely trivial means, can gain access to your emails’ content, because like the credentials, it is send in plain over unencrypted channels.

Exactly what you need in the year 2016 …

[1] https://my.com/
[2] http://mymail.my.com/en/
[3] https://mail.ru/

Spread the love

2
Leave a Reply

avatar
2 Comment threads
0 Thread replies
0 Followers
 
Most reacted comment
Hottest comment thread
2 Comment authors
PeterHitsugaya Recent comment authors
  Subscribe  
newest oldest most voted
Notify of
Hitsugaya
Guest

Any suggestion on email apps that are considered not bad for its security features?

Peter
Guest
Peter

Their privacy policy is a joke. it even states that they can and will change it at any time without notice and or notifying you and “encourage” users to check in periodically to see if the privacy policy has changed to keep up to date with it. How is that even legal? I agree to something and then they change what I agreed to without telling me? It is a data mining tool.

Post Navigation