Say What? BlackBerry 10 Email Setup Sends Full Account Credentials To BlackBerry Corporate Servers
BlackBerry has big on security, but according to the findings of German site GeekHeim, the Canadian company has a big, nasty security flaw in its own ranks. Apparently, when you set up an email account using BlackBerry 10’s email client, you’re unwittingly sharing your login credentials with BlackBerry.
“If you use one of the main functions of the phone, the email client for POP and IMAP, the complete account information including user name and password are sent to BlackBerry server without warning, without notice, without option to turn off this behavior,” said Frank Rieger of GeekHeim.
Credit: Heuse Online
Bear in mind that this is POP/IMAP email, not BlackBerry’s own services such as BBM messaging or PIN messaging.
He said that you can view logs that show that the device connects to an IP address, with your username and password, that belongs to “Research in Motion Unlimited” (which is actually an outdated name, as the company formerly known as RIM is now simply BlackBerry).
BlackBerry 10's email client may send your login credentials to BlackBerry (credit: Heuse Online)
Worse, he said that the trace route goes to Great Britain and the U.S., as well, which could mean that those governments (read: the NSA, et al) could potentially spy on BlackBerry users without their knowledge or consent. This is true even if the credentials are encrypted with SSL/TLS, because BlackBerry has the data and could simply decrypt them.
Marc Heuse of Heise Online (another German site) extracted this response from BlackBerry on the matter:
“If you use one of the main functions of the phone, the email client for POP and IMAP, the complete account information including user name and password are sent to BlackBerry server without warning, without notice, without option to turn off this behavior,” said Frank Rieger of GeekHeim.
Credit: Heuse Online
Bear in mind that this is POP/IMAP email, not BlackBerry’s own services such as BBM messaging or PIN messaging.
He said that you can view logs that show that the device connects to an IP address, with your username and password, that belongs to “Research in Motion Unlimited” (which is actually an outdated name, as the company formerly known as RIM is now simply BlackBerry).
BlackBerry 10's email client may send your login credentials to BlackBerry (credit: Heuse Online)
Worse, he said that the trace route goes to Great Britain and the U.S., as well, which could mean that those governments (read: the NSA, et al) could potentially spy on BlackBerry users without their knowledge or consent. This is true even if the credentials are encrypted with SSL/TLS, because BlackBerry has the data and could simply decrypt them.
Marc Heuse of Heise Online (another German site) extracted this response from BlackBerry on the matter:
We're unable to submit to the allegations raised in the media with respect to the state surveillance of telecommunications data no comments. [...] In our public statements and principles we underscore for some time that there is no "back door" to this platform.
