BlackBerry purportedly sending users' email credentials in cleartext

Share this article:
BlackBerry 10 users email credentials are being sent to server belonging to the mobile manufacturer.
BlackBerry 10 users email credentials are being sent to server belonging to the mobile manufacturer.

Upset that BlackBerry has yet to address a potentially major security and privacy vulnerability in the email client of its latest version, a security company said Monday that it's fed up with the response and has notified federal authorities.

"Due to the severity of this issue, and the apparent lack of mainstream press, Risk Based Security has reached out to clients and some contacts, including the FBI, warning them of the potential privacy and security issue," the company said in a statement.

Roughly two weeks ago, German researcher Frank Rieger disclosed that email credentials are being sent to BlackBerry's developer, Canada-based Research in Motion (RIM), without consent or warning when a user enters their POP or IMAP email address into the standard BlackBerry 10 email client, known as Discovery Service.  

You should delete your email accounts from any BlackBerry 10 device immediately, change the email password and resort to use an alternative mail program like K-9 Mail (an open-source email client for Android),” Rieger wrote.

After tinkering with the device, he found that a Canadian server was connecting to his mail server and logging his credentials. He discovered that the server belonged to RIM.

“The client should only connect directly to your mail server and no one else,” Rieger wrote in a post, dated July 17. “A phone hardware vendor has no right to for whatever reason harvest account credentials back to his server without explicit user consent and then on top of that connect back to the mail server with them.”

A RIM spokesperson denied the existence of a "backdoor" and asserted in a statement to on Tuesday that BlackBerry's Discovery Service does not store email passwords. Credentials are only used to simplify the email set-up process, the company said in the statement, adding that users can go to advanced configuration to bypass the Discovery Service (and its terms and conditions) and set everything up manually.

But Risk Based Security, which sponsors the nonprofit data breach repository DataLossDB and the Open Sourced Vulnerability Database, said it's not buying that.

“This appears to be validation from RIM that credentials are sent and dodges the question of the default configuration sending in cleartext,” the company said, adding the problem is amplified by the majority of users who will turn to the Discovery Service to set up email and never be aware of the issue.

One of the bigger problems, Rieger discovered, is that users who have not enabled SSL/TLS encryption on their mail server will have their information sent to the RIM server in cleartext, meaning anyone with working eyes and access to the user or RIM network can easily steal the credentials.

Rieger reiterated that the issue is only about entering private IMAP or POP email credentials into the BlackBerry 10 Discovery Service and is not related to PIN messaging, push messaging or any other service where credentials are expected to be sent to RIM.

In the BlackBerry end-user/software license agreement, Risk Based Security points out, there is no mention that information will be sent to RIM or that users are responsible for such communications. RBS called the issue an “inexcusable vulnerability” and likened it to a vendor backdoor.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

Reported breaches involving zero-day bug at JPMorgan Chase, other banks

Reported breaches involving zero-day bug at JPMorgan Chase, ...

Hackers exploited a zero-day vulnerability and gained access to sensitive information from JPMorgan Chase and at least four other financial institutions, reports indicate.

Data on 97K Bugzilla users posted online for about three months

During a migration of the testing server for test builds of Bugzilla software, data on about 97,000 Bugzilla users was inadvertently posted publicly online.

Chinese national had access to data on 5M Arizona drivers, possible breach ...

Although Lizhong Fan left the U.S. in 2007, the agencies responsible for giving him access to Americans' personal information have yet to disclose the details of the case to the public.