MailAnyoneAnywhere: a generous idea

But that does not make the idea actually usable. Beside using SMTP/TLS instead of plain SMTP, the implementation lacks security awareness (having to - securely - use hardcoded credentials alone is a software challenge already, proposing the application to the "general public" is... naive?)
"Mail Anywhere has its own Gmail® account!" is on the other hand... "incorrect": Mail Anywhere (the binary I could download on April, 22 2012 at least - still unchanged today) uses an account at mail.steppschuh.net (I didn't bother to check whether the statement was true for the previous version).

It is remarkable that nobody among the reviewers and software download sites "noticed" this: there is no communication with any google/gmail server whatsoever.

What I called a "security advisory" in my previous post is the simple consideration that the absence of certificate validation leaves no means to prevent the TLS session to be transparently proxyied/decrypted: anyone with basic knowledge of SMTP/TLS and MiTM techniques has got the credentials for the account in use by the application and could easily make the software useless (logging in and changing the password, for example)... let alone anyone with decompilation/debugger skills (strings is enough to clarify the source code is MS VisualBasic).

I was able to access the mailbox - I was certainly not the first one -, where I found no archive of Sent messages (it is probably a POP based service) but I did find an inevitable number of "careless replies" just addressed to noreply@steppschuh.net (which is cleary visible as the address the emails sent by the software originate from - gmail?!) and some private stuff of the author himself in the Inbox.

Actually, a few days ago, either an incident as I anticipated in my previous post eventually took place or the author decided to pull the plug, without any notice. None of the reviewers and software download sites as well, has published - as of today - anything about the actual (un)usability of the program at this moment (and I would say for awhile, given the hardcoded credentials).

I assume the author did read my email about one week ago because he actually removed the private messages lying around in the Inbox, therefore he might indeed have pulled the plug but it could also be the case that the ISP just temporarily disabled or definitely shutdown the account for policy infringment or exceeded disk quota or traffic, the authentication is temporarily not working or anything else: I couldn't say and I don't care.

For further details and possibly recommendations for the next freebie, you can always refer to
the trusted sources you got this piece of kidware from ;-)

Comments

Popular posts from this blog

SSLLabs SSL Test on 716 .gov https sites

Due minuti e mezzo per mezzanotte

Is DHS running honeypots?