Email Password being sent in plain text

Discussion in 'iPhone' started by bartonjd, Jan 27, 2014.

  1. bartonjd macrumors member

    Joined:
    Oct 18, 2012
    Location:
    Logan, Utah
    #1
    I have been sniffing my iPhone traffic of late and yesterday made an uncomfortable discovery, my gmail password is being sent to google in plain text! I have been through every setting I can find and as near as I can tell, SSL is turned on everywhere, is this a weakness with IOS or is there something I am missing? Thanks in advance!
     
  2. Menel macrumors 603

    Menel

    Joined:
    Aug 4, 2011
    Location:
    ATL
    #2
    Don't use on unsecure networks.

    Cellular, home wifi, or VPN to home.
     
  3. AbSoluTc macrumors 68040

    AbSoluTc

    Joined:
    Sep 21, 2008
    #3
    This. From past sniffing, it's a GMAIL thing. I was able to see the password, plain text being sent from a Mac on a home WPA2 secure network.
     
  4. blarivee macrumors 6502

    Joined:
    Jun 29, 2009
    Location:
    US
    #4
    Is this with the web interface or native iOS Mail app?
     
  5. bartonjd thread starter macrumors member

    Joined:
    Oct 18, 2012
    Location:
    Logan, Utah
    #5
    So Gmail doesn't use SSL for sending the password despite it's being set in the settings app?

    This was with the built in mail app not the web interface.

    So is it fair to say I should use a different mail app, or am I going to experience this no matter what?
     
  6. PNutts macrumors 601

    PNutts

    Joined:
    Jul 24, 2008
    Location:
    Pacific Northwest, US
    #6
    I'd like to try and reproduce this. Did you sniff via a shared network connection or is there a better way now (it's been a while since I've done this). Also, what iOS version are you on and did you set up the account as a Google account or Exchange ActiveSync or something else? Also, could it be an app (other than the mail app). A quick test would be to disable or remove the Gmail e-mail account.

    Sorry for all the questions but not much point in trying if my setup is too dissimilar.
     
  7. AbSoluTc macrumors 68040

    AbSoluTc

    Joined:
    Sep 21, 2008
    #7
    Not sure. All I know is this is the third instance I have heard of this, one of them was my own password being seen during a wifi sniffing experiment of my own, with a friend, using a secure network. The password was found and seen in the logs in plain text.
     
  8. bartonjd, Jan 28, 2014
    Last edited: Jan 28, 2014

    bartonjd thread starter macrumors member

    Joined:
    Oct 18, 2012
    Location:
    Logan, Utah
    #8
    I am definitely using the native Mail app, I am on iOS 7.1 beta 3, so its possible the beta is the issue. I set this up as traditional Google account, I wasn't aware you could still set a gmail account up using the exchange option. I am using Cain & Abel for the traffic analysis.

    I am interested to hear more, what incidents have you heard of?
     
  9. Applejuiced macrumors Westmere

    Applejuiced

    Joined:
    Apr 16, 2008
    Location:
    At the iPhone hacks section.
    #9
    In this day and age do not expect any internet privacy.
     
  10. bartonjd thread starter macrumors member

    Joined:
    Oct 18, 2012
    Location:
    Logan, Utah
    #10

    This isn't so much about privacy as not wanting my password blatantly stolen... At least not as easily as Apple is making it. I'd appreciate any recommendations on how I can check Gmail securely without using safari to do it.
     
  11. blarivee macrumors 6502

    Joined:
    Jun 29, 2009
    Location:
    US
    #11
    Have you tried the Gmail app?
     
  12. hansonjohn590 macrumors 6502

    Joined:
    Sep 14, 2013
    #12
    Can you please clarify what you are saying? Is the password being sent in plaintext via SSL or is it being sent without encryption at all?

    Both of these are problems but the latter is far more serious. How are you sniffing the traffic?
     
  13. bartonjd thread starter macrumors member

    Joined:
    Oct 18, 2012
    Location:
    Logan, Utah
    #13
    I have not... I didnt like the gmail app when I used it but perhaps I need to reconsider.

    It is definitely plaintext, but isn't this a concern SSL or not, my sniffer program shouldn't be able to see the password should it? I am using the sniffer tab in Cain and Abel and choosing my router and then redirecting my iPhones IP to C&A.
     
  14. blarivee macrumors 6502

    Joined:
    Jun 29, 2009
    Location:
    US
    #14
    I was just wondering about the Gmail app. If the Gmail app is written as a native app, then it might suffer from the same problem as the iOS mail app since they would utilize the same API.

    By the way, do you know how to determine if an app is native or web interface?
     
  15. aristobrat, Jan 29, 2014
    Last edited: Jan 29, 2014

    aristobrat macrumors G4

    Joined:
    Oct 14, 2005
    #15
    If Cain and Abel is proxying SSL, then yes, it'll see everything.

    When you say you're redirecting your iPhones ip to C&A, are you talking about arp poisoning?
     
  16. sjinsjca macrumors 68000

    sjinsjca

    Joined:
    Oct 30, 2008
    #16
    This raises lots of questions.

    How exactly is the data stream being sniffed? What is the procedure used for this observation?

    Is anything else in the message observable, besides the password?

    Is two-factor authentication turned on in the user's Gmail account?

    Is the password usable? ...In other words, does it allow a third party on a different machine to access the Gmail account in someway? (This would be the acid test for two-factor authentication.)
     
  17. nightstalkerz macrumors 6502

    Joined:
    May 9, 2013
    #17
    What version of iOS are you running?

    I'm on iOS 7.0.4 and the default Mail app says it's using token authentication.

    I haven't check the traffic sent though.
     
  18. JayLenochiniMac macrumors G5

    Joined:
    Nov 7, 2007
    Location:
    New Sanfrakota
    #18
    Any records of this happening in the past? I'd think it's a front page news if true.
     
  19. aristobrat macrumors G4

    Joined:
    Oct 14, 2005
    #19
    So the OP's using a tool called Cain and Abel, which has this ability (emphasis mine):

     
  20. JayLenochiniMac macrumors G5

    Joined:
    Nov 7, 2007
    Location:
    New Sanfrakota
    #20
    Thanks. The OP made it sound like they weren't encrypted in the first place. Paranoid much?
     
  21. bartonjd thread starter macrumors member

    Joined:
    Oct 18, 2012
    Location:
    Logan, Utah
    #21
    I don't know that being concerned about broadcasting your password in plaintext is being paranoid. Perhaps I'm not as well informed in the areas of sniffing and traffic analysis, but I think it is a worthwhile concern and not overly paranoid.


    Yes it is ARP poisoning. So if C&A is providing the cert, it is ok that the password shows up as plaintext?

    I haven;t experienced this with Evomail, which I have been trying out this week.
     
  22. aristobrat macrumors G4

    Joined:
    Oct 14, 2005
    #22
    Yes.

    The cert that C&A provides is bogus (not signed by a trusted certificate authority, hostname mismatch, etc) and your iPhone should have warned you of this dangerous situation.

    [​IMG]

    Only if you clicked the Continue button should the iPhone have used the bogus C&A cert, which is required for C&A to decrypt your SSL-encrypted data.

    IIRC, when we were playing around with C&A, every major website we tried logging into (using https://) "only" used SSL to encrypt the username/password/data. Meaning that if someone fell for a C&A MITM attack, everything would show as plain text.
     
  23. Applejuiced macrumors Westmere

    Applejuiced

    Joined:
    Apr 16, 2008
    Location:
    At the iPhone hacks section.
    #23
    I see now.
    That makes sense then how and why.
     
  24. bartonjd thread starter macrumors member

    Joined:
    Oct 18, 2012
    Location:
    Logan, Utah
    #24
    Thanks for the responses, this brings me some peace of mind, and a bit of a laugh too... I remember accepting the cert now that you post the screenshot.... Whoops
     
  25. sjinsjca macrumors 68000

    sjinsjca

    Joined:
    Oct 30, 2008
    #25
    Very big relief. Thanks, everybody, for getting to the bottom of that. Thanks to the OP for raising the issue, too. I'm sure a lot of visitors to this thread learned something.

    It's also a nice reminder to pay attention to those certificate pop-up. They're a valuable indicator that something is amiss that may indicate your security is compromised.
     

Share This Page