Security warning for PopMan
Posted: Mon Jun 22, 2015 12:57 pm
Using PopMan as portable makes it possible to put it on a USB flash drive and check your mail anywhere. But if you lose the flash drive, or if someone steals it, there is no protection for your mail accounts.
The password that is supposed to block illegal opening of PopMan is depending of only two lines in PopMan.ini, and the ini file is not protected with any password. Under [Settings]:
LastKW=1
CurrPd=fl5aZQ==
where fl5aZQ== is the encrypted password.
So let's pretend that I am the thief that stole the USB flash drive.
Now I would change those two lines to
LastKW=0
CurrPd=
and save PopMan.ini. Then I can open PopMan without using any password, with access to all the mail accounts. The passwords for the accounts are still hidden with dots, but they can easily be retrieved with the free and portable X-Pass.
Then I have all the information I need to check and read all the mail on all the accounts on the stolen flash drive. If I do that with a mail client set to leave the messages on the server, there is practically no risk for disclosure!
Kea
The password that is supposed to block illegal opening of PopMan is depending of only two lines in PopMan.ini, and the ini file is not protected with any password. Under [Settings]:
LastKW=1
CurrPd=fl5aZQ==
where fl5aZQ== is the encrypted password.
So let's pretend that I am the thief that stole the USB flash drive.
Now I would change those two lines to
LastKW=0
CurrPd=
and save PopMan.ini. Then I can open PopMan without using any password, with access to all the mail accounts. The passwords for the accounts are still hidden with dots, but they can easily be retrieved with the free and portable X-Pass.
Then I have all the information I need to check and read all the mail on all the accounts on the stolen flash drive. If I do that with a mail client set to leave the messages on the server, there is practically no risk for disclosure!
Kea