advertisement

YoAfrica webmail security flaw exposes customer emails

advertisement
tz_at_yo - Click for a higher resolution image

Yo!MailEarlier today, a guy sent us an email on our tips@techzim.co.zw address with the subject “Security Flaw – yo.co.zw” Here are the contents of that email:

advertisement

Hie there

I know it’s free webmail. The returns from ads are perhaps meagre and not worth any extra time coding and troubleshooting. But that does not and should not justify silly loopholes on a webmail that i have loved for so long (in my quest to see local tech thrive that is.)

advertisement

Let it be known that i am no geek, nerd, whiz-kid or whatever entitles me to be and be labeled a hacker. Doing my cyber rounds i stumble what i deem to be the silliest loophole ever on the net.

TechZim Admin, go onto yo.co.zw, sign-up for a free xxx@yo.co.zw email address, and mail me that e-mail address and i will be sure to reply you with a snapshot of your inbox. When satisfied, then i will tell you how to do it. so that Yo!Africa can fix this

rgds

We created a tz_at_yo@yo.co.zw account, sent some mail to it and gave our hacker the email address. He responded shortly after with a screenshot our new mailbox (below)

tz_at_yo - Click for a higher resolution image

We’re still not sure how he did it as our comms with him went dead before we discussed everything. We tried a few simple tricks of our own just to see if we could get into a mailbox without entering a password. We did, and here’s how: when you log into the free webmail system on the www.yo.co.zw website, you get a link that you have to click to open your mailbox. The link’s underlying url looks something like this: http://www.yo.co.zw/index.php?option=com_webmail&name=tz_at_yo

Now, replacing the username (tz_at_yo in this case) with any other free webmail Yo address would get you into the user’s mailbox. Yes, embarrassingly simple. We tried a couple of random addresses and we got into a few (we didn’t read the emails ofcourse).

We alerted someone at YoAfrica and it got fixed within the hour.

We’re stressing that this is “free webmail” because, as far as we could tell, the flaw only affected the free yo.co.zw email addresses that users sign up for at the www.yo.co.zw website. At the moment, nothing suggests that private domains with email hosted at YoAfrica are affected.

It’s also not clear how long it’s been like this. We’ve written to the YoAfrica leadership to get more information and will update when we hear back.

YoAfrica is one of Zimbabwe’s biggest ISPs. Going forward, it’ll probably be difficult for anyone reading this to trust YoAfrica with their email. And sadly, the trust issue may affect other local ISPs as well.

update:
The guy that sent us the hack is called Chrispen Nyamandwe, he’s a student at NUST.


Quick NetOne, Telecel, Africom, Econet Airtime Recharge


WhatsApp Discussions

Click to join a Techzim WhatsApp group:
https://chat.whatsapp.com/DhJIODAb9nSCqaB6fl4syL

If you find the group full, please notify us on +263 715 071 199 and we'll update the link.


40 thoughts on “YoAfrica webmail security flaw exposes customer emails

  1. same old crap of poorly designed security concepts in zimbabwean products. The threat lanscap is changing and sooner or latter  the bad guys will see more benefits of hacking zim companies for $$$$ gains. Most zim  organasation’s IT environments are like open  graves full of a lot of holes/vulnerabilities that can be easily exploited. This put  personal identifiable  customer data at risk. Sort it guys and invest a bit in securing your infrastructure thus also protecting your customers at the same time.

  2.  That was very silly. But anyway, we are helping each other to build our products. Kudos to Techzim for the platform to make sure we the consumers are getting better services by the day. 

  3.  Well at least this flaw is getting them publicity. I am sure that they have seen a spike in new sign ups since this article went up lol.

    1. I guess thats what you get for using joomla plugins for everything. I have seen a lot of people implementing code that they don’t understand.

  4.  Security is an issue most organisation in Zimbabwe are ignoring even in the Banking sector  we had a few examples of hacked banks like the RBZ in the early 2k and a UZ student performed a man in the diddle attack on CBZ and I understand he is now one of their security guys.

    1. Security is a world wide issue not Zimba alone. On the issue of of UZ student he is not the only who have benefited from such actions nor CBZ naive. Barclays UK did it, Scotland Yard did the same. The adviser of Barack Obama is from from the Blackhat hackers. So nothing surprising here done.

  5. It is worth noting that if you check the IPs of webmail.yo.co.zw and webmail.yoafrica.com they appear to be different machines.   And it will only affect mail addresses on the yo.co.zw domain.  So while not great it isnt a serious compromise of all their main mail.  Good to see they fixed it so soon.  It appears webmail.yo.co.zw has been upgraded to a newer version of roundcube (since when I last used it), wonder if the upgrade is related to the issue.

    People make mistakes, same thing just happened to SONY when they launched their new PSN change password page…  If you knew another persons email and DOB you could reset their password.  This just after the whole PSN getting hacked scandal, and everyone requiring a password reset…

  6. Schneier’s Law :”any person can invent a security system so clever that she or he can’t think of how to break it.” This means the only experimantal methodology for discovering loopholes or mistakes in your system is to tell all the smart people you can about it and ask them to think of ways to break it. …..Cory Doctorow.

    i suppose that’s why open source systems are far much better than systems built by a few individuals, and that’s not say zimbos can’t produce high quality code, but to say this is how better systems are produced…. thru rigorous testing and users contributions like this one.

    1. It’s a fallacy that this can be classified as user testing in the context of either testing security or developing open-source systems.

      If “Chrispen Nyamande” had any sort of altruistic motives, he would have contacted YoAfrica directly and told them about the flaw. The fact that he went to TechZim right off the bat indicates, to me, that he was acting in bad faith 🙂

      Way to make friends, Chrispen.

  7. Security is dynamic, a constantly moving target. You can not sit and relax hoping your systems are secure. And to blame Zimbos for lack of knowledge  of security is a total thinking based of misinformed guidance.

    Security is a worldwide problem affecting both advanced and novice users. Just recently look at what happened to Sony networks and RSA!

    Our problem as Zimbos is that we are good at opposing everything Zimbabwean, hutsinye, huroyi godo ndozvatinongogona, kwete kubatsirana.

  8. @ea25193fe8b994b12d8d7ce0e892a1b6:disqus , why do you seem angry about all this. I agree with some of your sentiments about the approach  yemazimbo yekudzimbirirana. At the same time i am against your defensiveness and kusada kubvuma where we lack…with such mindsets hatibudirire. Security is a global issue thats true and most of the largest corps RSA,SONY etc arikurohwa nemahackers. This means at any point zimba can be a target at any point. At this moment we don’t have security capacity, we need to do a lot of work to develop it. Kune some guys around  imo muno mu harare vanoziva a lot but the playing field ye IT security is limited in zim and hence our organisations and perceptions need to change and  we start from the basics rather than us  being defensive.
    If the 1st world is still struggling to protect themselves then its proportionally meas that in zim we haven’t started any form of security…..saka lets look globally and  see how we can adapt some concepts to implement in zim.

    1. @22e51b49e539ea6b935ea444358e71b3:disqus  you are right, l was angry about all this because every time anything with Zimbo origin is quickly short down by some people here without a proper technical back-up.

      On the other hand, lm not being out-right defensive, lm defending our local techies who are doing wonderful  things against all the odds. lts something l feel proud about and ready to learn from.

      l do criticize when its appropriate, ask David 

      1. You should kno better than to think ‘criticism’ requires a proper technical background. im certain you know that wen testing and validating, its not the technically sound pple that wil give u exhaustive test cases which you then go home and have a good night sleep thinking my system is super and robust.

        secondly, i pretty much think you should give credit to the young man, who raised the alarm, even tho he went round thru the media, instead of directly to Yo!Africa. In any case we don’t kno if he didn’t alert Yo! webmasters or he did, so unless you can prove him guilty, he is innocent of that charge (by benefit of the doubt that is). i do not for a minute think the actions of the young lad were mockery, or kunyomba kuti Yo!Africa is useless. cut the boy some slack Macd, he did say, quoting “But that does not and should not justify silly loopholes on a webmail that i have loved for so long (in my quest to see local tech thrive that is.)”

        at the same time, i give two thumbs up to Mr Kabweza for a platform such as this, where we can talk about the ongoings of out technology. i still think outside the confines of this particular article, this right here is a great site. 

        1. “In any case we don’t kno if he didn’t alert Yo! webmasters or he did, so
          unless you can prove him guilty, he is innocent of that charge (by
          benefit of the doubt that is)”

          He didn’t go directly to Yo!Africa, that’s why in my comment above, I say he was acting in bad faith.

    1. Does ZOL have a comparable free to Zimbos webmail?  This hasnt affected their main mail servers, only the yo.co.zw domain on the free site.  

      Not an excuse for the free one, but you better off comparing apples to apples ie ZOL’s paid email to YO’s paid email.  As I am not a ZOL customer interested in knowing what email functionality this new expensive system has over the roundcube (I presume) OSS solution YO are using.

  9. We don’t do free email addresses.  To be honest I never saw the point when there are Yahoo and Google free addresses.  If you can convince me there is a demand for free  (BTW we would not use a different system for free) then I’d be happy to do it. Let me know!  Our system also allows sending 100% SECURE and encrypted emails from ANY ZOL address to any other address in the word. It’s just one of the features we have. http://securesend.zol.co.zw  This allows anyone to securely communicate with ZOL customers – regardless of their ISP.

    Incidentally if you wanted a free ZOL address there is a sneaky way to get one if you sign up for Dipleague http://dipleague.zol.co.zw/changezol 

    Enjoy ZOL 🙂

    1. David dnt be 2 confident ur system is not as secure as u think like it or not zol has loopholes.

      1. I’m sure it does 🙂  In fact I’m positive it does!  I never said our systems are all 100% sure.  I said you can send “100% secure and encrypted emails” – which is subtly different to saying “our system is 100% secure”!

    2. David – I understand this is a good opportunity to take pot-shots at your competition, but “100%” sounds a little bold (perhaps even a touch brave – should someone capable read that as a challenge).

      For a little perspective, the following entities have had their systems breached:
      Sony (starting with the obvious)

      Microsoft
      CIA
      NASA
      Google

      I’m haven’t decided if I’d be impressed or disappointed if you genuinely think your (collective) security expertise is better than the organizations listed.

      1. Hi Tapiwa

        Wasn’t trying take “pot-shots”.  What happened to Yo can happen to anyone, including ZOL, and it is most unfortunate.  We all make mistakes!  My point still remains – something free has no value to the user or supplier – hence logically would be under-funded and under-monitored/upgraded.  Yahoo/Google have free email – but make a killing out of the ads.

        BTW I am personally against the way in which this exploit was made public before allowing Yo time to fix it.  I think Yo could have been given 48 hours to fix, before it was published.  Then after that (whether or not it is fixed) go ahead and publish. I just think the upside vs downside of publishing first is not positive – for any of the stakeholders.

        I am sure “some aspects” of “some systems” at those companies you mentioned have been breached – but certainly not all!  The only system that is 100% secure from remote breaches (vs physical) is one that is not connected!

        Security breaches are really caused by two fundamental issues:

        1) User error – such as poor choice of passwords, leaving yourself logged in, key-stroke loggers etc

        2) Software bugs or configuration errors – which I think was the cause of the Yo issue and shows the importance of upgrading.

        Now if you look at my posting carefully I said, “Our system also allows sending 100% SECURE and encrypted emails from ANY ZOL address to any other address in the world”.  Note I *NEVER* said our system was 100% secure.  I just said it allows you to send 100% secure messages.  There is a big difference.  We have a very simple and user-friendly interface to PGP.  http://en.wikipedia.org/wiki/Pretty_Good_Privacy  Let me quote, “To the best of publicly available information, there is no known method which will allow a person or group to break PGP encryption by cryptographic or computational means.”

        This means a “lay person” can use the ZOL email system to send 100% secure messages *EVEN IF* the ZOL system itself is not secure.

        If you have information so important and so secret, do NOT trust a third party with the key!  Keep the key yourself!

        1. Just for the record: Techzim alerted Yo about the email flaw before publishing. When they assured us it had been fixed, we verified and published.

          We did this for Yo and more importantly because there’s a third party involved, the Yo customers. Publishing before giving them a chance to fix would have hurt the customers.

          1. Sorry about that. I did think it wasn’t like you not to be responsible.  From one of the comments I misunderstood to think you had put it up. Sorry!

    3. Hi David seems u have alot of time as ceo of zol to be reading through this post. Could pls put more time into offering us with a better pricing structure for your various internet services eg for vsat you offer high speed of 1mb and give a cap of 512mb for the whole month seems like a very useless package. Considering the amount and time spent to get the kit installed
      Most users on windows platform and not mention even on open source platforms like linux ubuntu need more cap to download apps and updates.

      1. Hi “David” 🙂

        I enjoy these forums, because they let me interact with customers and potential customers.  I also find the ideas and discussion stimulating.  I don’t have a lot of free time!

        I think there is some confusion in your mind on our VSAT offerings.  Our speeds are 2mbps (not 1mbps) and we offer a wide range of “caps” right up to unlimited at $1,200 a month.  Unfortunately VSAT is expensive, and the more you use, the more you “occupy” the airwaves and the more you have to pay.  The 512MB package is entry level and really only designed for a single user doing critical email and browsing.  We have that package so that very light users can affordable access the Internet ($180 per month).  What is useless to you, may well be very useful to someone else.

        One windows update can in fact consume your entire allowance – I know 🙁

        Watch this space though.  We expect to launch an even faster service (and cheaper) within 2 months.  We are trying to get it to 4mbps speed and have the per GB to be cheaper than the current 3G prices – which for VSAT is very impressive.

  10. Question i have is what was Chrispen Nyamandwe doing when he noticed the flaw in the yo email interface. 

    1. I think Chrispen did a great thing! You can be a hacker and be ethical.  He should send me his CV 🙂   

  11. hi L.S.M Kabweza can you pls specify did Chrispen tell you how to do the hack or u tried some methods and found out yourself.   
    “We’re still not sure how he did it as our comms with him went dead before we discussed everything. We tried a few simple tricks of our own just to see if we could get into a mailbox without entering a password. We did, and here’s how…..”

    1. he was about to say when phone line went dead (airtime or network issue…).

      tried out some methods and found out ourselves. and no, we’re not hackers (evil or ethical); this is like one of the basic things you try when accessing a login protected system. 

  12. For one I am happy with what David is doing and he seems to take his job seriously indeed. I am a customer of ZOL and a few months ago I had to write to him because I was dissatisfied with the service I was getting from ZOL and a few days later my wife was called and someone attempted to solve the issue. Which means that he seems to listen. I wish all the guys in Zim where like that they service would really improve.

Comments are closed.

%d bloggers like this: