mailbox.org discovers unencrypted password transmission in myMail
At mailbox.org, security and privacy are of the utmost importance to us, particularly in the area of email communication. Therefore, we would like to inform you about a critical security vulnerability in the myMail client for iOS that we have recently discovered. This vulnerability results in unencrypted transmission of user passwords and emails.
Our team became aware of the issue after our customers reported transmission errors when sending emails via the myMail client in the user forum. Upon a thorough examination of the logs, we found that the myMail app attempts to transmit passwords without the required TLS encryption, thus leaving them unprotected and posing a significant security risk. Instead of sending the usual "STARTTLS" command after establishing a connection, the app continued to transmit the user's login details unencrypted. As a result, we were able to extract users' passwords from the connection logs.
At mailbox.org, we consistently reject unencrypted connections on our servers to ensure your security at all times. It was only for this reason that the myMail app's connection attempts failed, bringing the issue to our attention.
This problem not only affects our customers but also poses a general security risk for all users who use the myMail client. Contents and passwords can be intercepted and read by third parties, especially when users are in an open network. If other providers allow unencrypted connections and are used in conjunction with the current version of the myMail app, attackers can also read the content of unencrypted emails.
We strongly recommend that you stop using the myMail client with our service or other email providers until the app developers have resolved these security issues. There are numerous alternative email clients that offer higher security standards and better protect your privacy. At the same time, the current incident underscores the importance of communicating exclusively through securely configured systems that enforce encryption.