Using PopMan as portable makes it possible to put it on a USB flash drive and check your mail anywhere. But if you lose the flash drive, or if someone steals it, there is no protection for your mail accounts.
The password that is supposed to block illegal opening of PopMan is depending of only two lines in PopMan.ini, and the ini file is not protected with any password. Under [Settings]:
LastKW=1
CurrPd=fl5aZQ==
where fl5aZQ== is the encrypted password.
So let's pretend that I am the thief that stole the USB flash drive.
Now I would change those two lines to
LastKW=0
CurrPd=
and save PopMan.ini. Then I can open PopMan without using any password, with access to all the mail accounts. The passwords for the accounts are still hidden with dots, but they can easily be retrieved with the free and portable X-Pass.
Then I have all the information I need to check and read all the mail on all the accounts on the stolen flash drive. If I do that with a mail client set to leave the messages on the server, there is practically no risk for disclosure!
Kea
Security warning for PopMan
Re: Security warning for PopMan
There are some applications that behave similarly, for example Sylpheed and FileZilla even stores plain-text passwords in config files (but perhaps they have changed in the meantime).
Re: Security warning for PopMan
If memory serves, I think Filezilla in particular passed on adding master password functionality, instead encouraging users to use encryption (like TrueCrypt). The idea here was that another password people had to remember doesn't mean real security. Although the option would be nice, I don't disagree.tproli wrote:There are some applications that behave similarly, for example Sylpheed and FileZilla