Reporter Packet Storm
`You may read this story online at:
Email encryption problems should be solved in Sonata
If you're using a free Mac email application, you inherently have a
lack of secure encryption as Andrew Jung, a computer science student
at Camosun College (Victoria BC, Canada), recently discovered. Jung
was using Outlook Express 4.5 on the family iMac when he came upon
what he described a "disturbing bug."
Jung attempted to use the "Change Current User" menu item of Outlook
Express to access his personal email account (three separate email
accounts were on the family Mac) when he realized he'd forgotten his
password. He clicked "Cancel" was returned to the account selection
"I selected my step father's account, typed in his password, and got
a message saying that his password was incorrect," Jung says. "I try
again and again. No go. Then for the heck of it I looked up my
password for my account, tried it, and got it. I did the procedure
again over and over, and I can reproduce it every time. Whatever
account I click and then cancel, that is the password for all the
The situation can be reproduced this way:
Open Outlook Express and at the user account dialog select "New User."
In the settings type in any password you want.
Select change user from File.
Select the newly created account, then click "OK."
Click cancel at the password prompt.
Select the user's account you would like to break into, and click "OK."
Type in YOUR password for the new account and you're in.
DON'T try this at work or to access anyone's email account without
permission. This was for "demonstration purposes" only.
MacCentral contacted the Microsoft Macintosh Business Unit at Microsoft,
and Product Manager Irving Kwong confirmed the problem. He says Outlook
Express doesn't encrypt mail data stored in the application - but that
the problem isn't unique to Microsoft's free email application.
"Encryption functionality of mail data does not exist in any free
Macintosh email application, as this level of security is best executed
at the operating system level," Kwong says. "Outlook Express' password
protection between multiple users on the same computer is not secure.
The password merely acts as a padlock on users' personal preferences."
So what is a secure solution? Kwong says it's coming with the next ramp
of the Mac OS, codenamed Sonata.
"You may remember Sonata's new multiple user environment being
demonstrated at the WWDC," Kwong says (check out our story at
http://www.maccentral.com/news/9905/10.sherlock.shtml). "We have been
working on support for Sonata's multi-user functionality for Outlook
Express and demonstrated this technology at the WWDC. This is the
first offering of system-level security for multiple users sharing a
Macintosh and is the best solution for true support, as it ensures
password and data security. For Outlook Express customers and
Macintosh users looking for a password secure solution for multiple
users sharing a computer, we suggest using the upcoming version of
Outlook Express with Sonata. The combination of Outlook Express and
Sonata is a secure solution for Macintosh users doing email from the
same computer. "
Sonata is due in the second half of the year.