Skip to main content

mailbox.org discovers unencrypted password transmission in myMail

Warndreieck

At mailbox.org, security and privacy are of the utmost importance to us, particularly in the area of email communication. Therefore, we would like to inform you about a critical security vulnerability in the myMail client for iOS that we have recently discovered. This vulnerability results in unencrypted transmission of user passwords and emails.

Our team became aware of the issue after our customers reported transmission errors when sending emails via the myMail client in the user forum. Upon a thorough examination of the logs, we found that the myMail app attempts to transmit passwords without the required TLS encryption, thus leaving them unprotected and posing a significant security risk. Instead of sending the usual "STARTTLS" command after establishing a connection, the app continued to transmit the user's login details unencrypted. As a result, we were able to extract users' passwords from the connection logs.

At mailbox.org, we consistently reject unencrypted connections on our servers to ensure your security at all times. It was only for this reason that the myMail app's connection attempts failed, bringing the issue to our attention.

This problem not only affects our customers but also poses a general security risk for all users who use the myMail client. Contents and passwords can be intercepted and read by third parties, especially when users are in an open network. If other providers allow unencrypted connections and are used in conjunction with the current version of the myMail app, attackers can also read the content of unencrypted emails.

We strongly recommend that you stop using the myMail client with our service or other email providers until the app developers have resolved these security issues. There are numerous alternative email clients that offer higher security standards and better protect your privacy. At the same time, the current incident underscores the importance of communicating exclusively through securely configured systems that enforce encryption.

More news

mailbox Logo

mailbox becomes the digitally sovereign workplace: Technology and brand reimagined

Read more about mailbox becomes the digitally sovereign workplace: Technology and brand reimagined
Trophy in recognition of excellent performance

Recognition for our security standards: BSI awards mailbox.org gold status!

Read more about Recognition for our security standards: BSI awards mailbox.org gold status!
People in a meeting are happy together about a success

New mailbox Suite: Modern design and smart features now available as beta

Read more about New mailbox Suite: Modern design and smart features now available as beta