I have been sniffing my iPhone traffic of late and yesterday made an uncomfortable discovery, my gmail password is being sent to google in plain text! I have been through every setting I can find and as near as I can tell, SSL is turned on everywhere, is this a weakness with IOS or is there something I am missing? Thanks in advance!
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Email Password being sent in plain text
- Thread starter bartonjd
- Start date
- Sort by reaction score
This. From past sniffing, it's a GMAIL thing. I was able to see the password, plain text being sent from a Mac on a home WPA2 secure network.
So Gmail doesn't use SSL for sending the password despite it's being set in the settings app?
This was with the built in mail app not the web interface.
So is it fair to say I should use a different mail app, or am I going to experience this no matter what?
I'd like to try and reproduce this. Did you sniff via a shared network connection or is there a better way now (it's been a while since I've done this). Also, what iOS version are you on and did you set up the account as a Google account or Exchange ActiveSync or something else? Also, could it be an app (other than the mail app). A quick test would be to disable or remove the Gmail e-mail account.
Sorry for all the questions but not much point in trying if my setup is too dissimilar.
Sorry for all the questions but not much point in trying if my setup is too dissimilar.
Not sure. All I know is this is the third instance I have heard of this, one of them was my own password being seen during a wifi sniffing experiment of my own, with a friend, using a secure network. The password was found and seen in the logs in plain text.
I am definitely using the native Mail app, I am on iOS 7.1 beta 3, so its possible the beta is the issue. I set this up as traditional Google account, I wasn't aware you could still set a gmail account up using the exchange option. I am using Cain & Abel for the traffic analysis.
I am interested to hear more, what incidents have you heard of?
Last edited:
This isn't so much about privacy as not wanting my password blatantly stolen... At least not as easily as Apple is making it. I'd appreciate any recommendations on how I can check Gmail securely without using safari to do it.
Can you please clarify what you are saying? Is the password being sent in plaintext via SSL or is it being sent without encryption at all?
Both of these are problems but the latter is far more serious. How are you sniffing the traffic?
Both of these are problems but the latter is far more serious. How are you sniffing the traffic?
I have not... I didnt like the gmail app when I used it but perhaps I need to reconsider.
It is definitely plaintext, but isn't this a concern SSL or not, my sniffer program shouldn't be able to see the password should it? I am using the sniffer tab in Cain and Abel and choosing my router and then redirecting my iPhones IP to C&A.
I was just wondering about the Gmail app. If the Gmail app is written as a native app, then it might suffer from the same problem as the iOS mail app since they would utilize the same API.
By the way, do you know how to determine if an app is native or web interface?
If Cain and Abel is proxying SSL, then yes, it'll see everything.
When you say you're redirecting your iPhones ip to C&A, are you talking about arp poisoning?
Last edited:
This raises lots of questions.
How exactly is the data stream being sniffed? What is the procedure used for this observation?
Is anything else in the message observable, besides the password?
Is two-factor authentication turned on in the user's Gmail account?
Is the password usable? ...In other words, does it allow a third party on a different machine to access the Gmail account in someway? (This would be the acid test for two-factor authentication.)
How exactly is the data stream being sniffed? What is the procedure used for this observation?
Is anything else in the message observable, besides the password?
Is two-factor authentication turned on in the user's Gmail account?
Is the password usable? ...In other words, does it allow a third party on a different machine to access the Gmail account in someway? (This would be the acid test for two-factor authentication.)
What version of iOS are you running?
I'm on iOS 7.0.4 and the default Mail app says it's using token authentication.
I haven't check the traffic sent though.
I'm on iOS 7.0.4 and the default Mail app says it's using token authentication.
I haven't check the traffic sent though.
So the OP's using a tool called Cain and Abel, which has this ability (emphasis mine):
Thanks. The OP made it sound like they weren't encrypted in the first place. Paranoid much?
I don't know that being concerned about broadcasting your password in plaintext is being paranoid. Perhaps I'm not as well informed in the areas of sniffing and traffic analysis, but I think it is a worthwhile concern and not overly paranoid.
Yes it is ARP poisoning. So if C&A is providing the cert, it is ok that the password shows up as plaintext?
I haven;t experienced this with Evomail, which I have been trying out this week.
Yes.
The cert that C&A provides is bogus (not signed by a trusted certificate authority, hostname mismatch, etc) and your iPhone should have warned you of this dangerous situation.
Only if you clicked the Continue button should the iPhone have used the bogus C&A cert, which is required for C&A to decrypt your SSL-encrypted data.
IIRC, when we were playing around with C&A, every major website we tried logging into (using https://) "only" used SSL to encrypt the username/password/data. Meaning that if someone fell for a C&A MITM attack, everything would show as plain text.
Yes.
The cert that C&A provides is bogus (not signed by a trusted certificate authority, hostname mismatch, etc) and your iPhone should have warned you of this dangerous situation.
Only if you clicked the Continue button should the iPhone have used the bogus C&A cert, which is required for C&A to decrypt your SSL-encrypted data.
IIRC, when we were playing around with C&A, every major website we tried logging into (using https://) "only" used SSL to encrypt the username/password/data. Meaning that if someone fell for a C&A MITM attack, everything would show as plain text.
I see now.
That makes sense then how and why.
Thanks for the responses, this brings me some peace of mind, and a bit of a laugh too... I remember accepting the cert now that you post the screenshot.... Whoops
Very big relief. Thanks, everybody, for getting to the bottom of that. Thanks to the OP for raising the issue, too. I'm sure a lot of visitors to this thread learned something.
It's also a nice reminder to pay attention to those certificate pop-up. They're a valuable indicator that something is amiss that may indicate your security is compromised.