Security warning for PopMan

Ask other users about problems encountered with portable apps or help by posting solutions to existing problems.
Post Reply
Message
Author
User avatar
Kea
Posts: 54
Joined: Sun Aug 26, 2007 7:36 am
Location: Sweden
Contact:

Security warning for PopMan

#1 Post by Kea »

Using PopMan as portable makes it possible to put it on a USB flash drive and check your mail anywhere. But if you lose the flash drive, or if someone steals it, there is no protection for your mail accounts.

The password that is supposed to block illegal opening of PopMan is depending of only two lines in PopMan.ini, and the ini file is not protected with any password. Under [Settings]:

LastKW=1
CurrPd=fl5aZQ==

where fl5aZQ== is the encrypted password.

So let's pretend that I am the thief that stole the USB flash drive.

Now I would change those two lines to

LastKW=0
CurrPd=

and save PopMan.ini. Then I can open PopMan without using any password, with access to all the mail accounts. The passwords for the accounts are still hidden with dots, but they can easily be retrieved with the free and portable X-Pass.

Then I have all the information I need to check and read all the mail on all the accounts on the stolen flash drive. If I do that with a mail client set to leave the messages on the server, there is practically no risk for disclosure!

Kea

User avatar
tproli
Posts: 1172
Joined: Sat Sep 09, 2006 10:14 am
Location: Hungary
Contact:

Re: Security warning for PopMan

#2 Post by tproli »

There are some applications that behave similarly, for example Sylpheed and FileZilla even stores plain-text passwords in config files (but perhaps they have changed in the meantime).

User avatar
webfork
Posts: 10818
Joined: Wed Apr 11, 2007 8:06 pm
Location: US, Texas
Contact:

Re: Security warning for PopMan

#3 Post by webfork »

tproli wrote:There are some applications that behave similarly, for example Sylpheed and FileZilla
If memory serves, I think Filezilla in particular passed on adding master password functionality, instead encouraging users to use encryption (like TrueCrypt). The idea here was that another password people had to remember doesn't mean real security. Although the option would be nice, I don't disagree.

Post Reply