Dovecot mail-crypt webmail can't read encrypted messages
Serveria Support
support at serveria.com
Tue Oct 11 14:22:48 UTC 2022
Bingo! Great to see some like-minded person here John!
Yeah, it's such an obvious vulnerability, I'm kinda surprised most
people here don't see an issue with that. If I were a Dovecot Pro OX
customer, I'd be very concerned with this "feature".
Imagine hacking Protonmail's server, getting root access and seeing
customers' password there in clear text? )))
On 2022-10-11 17:38, John Tulp wrote:
> I find this conversation "interesting".
>
> Serveria, i think some can't see the attack scenario where the
> attacker's goal is simply to get email passwords, and nothing else. it
> would make sense for their strategy to do nothing else "bad" on the
> server to attract attention to their intrusion. In that case, all
> they
> would do is send back the treasure trove of passwords to their home
> server(s), and sit there, remaining possibly for years, hiding,
> exploiting the fact that dovecot, with no code modification, will allow
> them to grab email passwords. If a dovecot server has thousands of
> email accounts, that represents thousands of other devices they could
> target, which is worth much more to the attacker than a single dovecot
> server.
>
> Oh well, food for thought.
>
>
> On Tue, 2022-10-11 at 15:11 +0300, Serveria Support wrote:
>> Yes, I realize that. But I can't think of a reason this password is
>> necessary in the logs. It's kind of a backdoor and has to be removed
>> from code. Why make intruder's life easier?
>>
>> On 2022-10-11 13:39, Arjen de Korte wrote:
>> > Citeren Serveria Support <support at serveria.com>:
>> >
>> >> Yes, there is a tiny problem letting the attacker change this value
>> >> back to yes and instantly get access to users' passwords in plain
>> >> text. Apart from that - no problems at all. :)
>> >
>> > If an attacker is able to modify your Dovecot configuration, you have
>> > bigger problems than leaking your users' password. Much bigger...
More information about the dovecot
mailing list