COMMAND
Eudora
SYSTEMS AFFECTED
Win sistems running Eudora clients (light and pro, v4 too)
PROBLEM
Sander Goudswaard posted following. Note however that following
is security issue only in specific enviroument like classes with
bunch of computers. The mail program Eudora from Qualcomm Inc.
has the ability to save the mail password in its INI file ('save
password'). This password is encrypted in a not-too-strong way.
There's a program called EUDPASS.COM on the Net that can easily
decrypt this password. Of course, having the INI file means
someone can check your mail. But that 'someone' could not use the
password to log in directly to the machine the mail is stored on.
With this utility, the password itself can be obtained.
Thomas Kindler added following. Additionally, if your Eudora INI
file, or any other data store used to "remember" passwords (MS
Internet Mail uses the registry), isn't secure neither a "port
switched" network nor TCP connection encryption will protect you.
Anyone can decrypt your password in five easy steps:
1. Install the associated mail application for example Eudora
with POP server configured as localhost
2. Copy the password entry from the target user's INI file
(or registry key in the case of Internet Mail)
3. Start a program designed to accept incoming TCP connections
on the POP port
4. Start the mail application and acquire mail
5. When the TCP connection is established send "+OK" twice
from the incoming TCP connection program and the password
will be returned UNENCRYPTED
SOLUTION
Although this is known problem, no solution has been offered by
Qualcomm. Until they change the encryption algorithm, the
password can be easily decrypted by anyone with access to the INI
file. Don't save your password, or make sure your INI file
(better, the entire mail directory) can not be accessed by anyone.
Hope Qualcomm will change the algorithm some day. If the user
wants security, they have to type the password in every time,
period. If they choose to save it, they cannot be as secure.