BlackBerry 10 email credentials purportedly sent in clear text

By on
BlackBerry 10 email credentials purportedly sent in clear text

RIM denies accusations.

Researchers say a vulnerability in BlackBerry 10 meant user email credentials were sent in clear text, a claim developer RIM denies.

German researcher Frank Rieger said in a post that email credentials entered into the BlackBerry 10 email Discovery Service would be sent RIM Canada servers in clear text if forced SSL was not enabled in mail servers.

"BlackBerry thus has not only your email credentials stored in its database, it makes them available to anyone sniffing in between," Rieger said.

“The client should only connect directly to your mail server and no one else."

Security firm Risk Based Security reported the flaws to US authorities and criticised RIM for not fixing the purported flaws.

"Due to the severity of this issue, and the apparent lack of mainstream press, Risk Based Security has reached out to clients and some contacts, including the FBI, warning them of the potential privacy and security issue," the company said in a statement.

RIM denied the existence of a "backdoor", a term slapped on the vulnerability by Risk Based Security, and asserted in a statement to SC that BlackBerry's Discovery Service does not store email passwords.

It said credentials were only used to simplify the email set-up process adding that users could go to advanced configuration to bypass the Discovery Service (and its terms and conditions) and set everything up manually.

But Risk Based Security, which sponsored the nonprofit data breach repository DataLossDB and the Open Sourced Vulnerability Database, hit back at RIM's claims.

“This appears to be validation from RIM that credentials are sent and dodges the question of the default configuration sending in cleartext,” the company said, adding the problem is amplified by the majority of users who will turn to the Discovery Service to set up email and never be aware of the issue.

Rieger reiterated that the issue is only about entering private IMAP or POP email credentials into the BlackBerry 10 Discovery Service and is not related to PIN messaging, push messaging or any other service where credentials are expected to be sent to RIM.

BlackBerry's end-user software license agreement did not mention information would be sent to RIM, Risk Based Security said.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © SC Magazine, US edition
Tags:
blackberry privacy rim security
In Partnership With

Most Read Articles

NBN Co says fibre-to-the-curb build is more complex than it hoped

NBN Co says fibre-to-the-curb build is more complex than it hoped
How Woolworths landed in 'really bad shape' with Salesforce

How Woolworths landed in 'really bad shape' with Salesforce
NBN Co explores 'FTTN in a box' for emergency network fixes

NBN Co explores 'FTTN in a box' for emergency network fixes
Don't bother with blockchain: databases or email may be better

Don't bother with blockchain: databases or email may be better
You must be a registered member of iTnews to post a comment.
| Register

Whitepapers from our sponsors

Intro to AI for Security Professionals
Intro to AI for Security Professionals
Digital Transformation: Hope, or Hype?
Digital Transformation: Hope, or Hype?
How to choose a trusted IT provider
How to choose a trusted IT provider
Why Business Process Modelling Matters
Why Business Process Modelling Matters
Report: ANZ IT Decision Makers - Top Priorities for Endpoint Security 2018
Report: ANZ IT Decision Makers - Top Priorities for Endpoint Security 2018

Events

Log In

Username / Email:
Password:
  |  Forgot your password?