The wizard used to configure e-mail access on the latest Nokia S60 devices is sending e-mail credentials to Nokia, via HTTP, even when the user is connecting to an unrelated mailserver. The connection was spotted by the Mobilitics blog, who discovered that running the wizard on a Nokia 5800 results in a (secure) HTTP connection …
If this WERE the vole, then imagine the uproar??
Why on earth would Nokia code this inthe first place? What possible purpose could it serve?
Will be fixed? I doubt it..
If the Nokia's statement was quoted accurately in the story I would be extremely surprised if they actually intended to change the way the wizard operates. Instead they most probably add some extra legalese and try to get away with that. The poor user needs to "accept" yet one more humiliating blow to her self-covernance before the software lets her proceed with the mail setup.
There's one thing worth mentioning that was missing from the article. According to the original blogger; upon completing the wizard Nokia tries to -- get this! -- connect and login to the mailbox using the credentials they just secretly aquired. I for one would feel violated if someone would sign in to my mailbox without me explicitly granting permission to do that. I've been taught _not_ to let other people have my passwords let alone use them. I'm not letting my PC Support, my spouse nor my boss to do that. Certainly I'm not letting some clumsy phone manufacturer that - obviously doesn't "get" the Internet to do that.
What I would really much like to know is how Nokia has actually arranged the log file management with their HTTP servers and _all_ other systems that get a copy of the users' credentials. They claim they don't store the credentials. Yeah, right! Their server logs, RAM memory, paging files and temp folders have credential information all over the place unless they explicitly do some magic to securely wipe the data. Something tells me they haven't planned this "feature" with that in mind..
Nokia - purveyors of buggiest software in known universe
It's just another Nokia bug. Nokia produce the buggiest software known to man. If Nokia had been in charge of the Moon Landing program, the rocket would have left Cape Canaveral and landed in Hemel Hempstead. (Perhaps no bad thing.)
I mean, has anyone had ANY success with their new Ovi Suite? On 3 different XP SP3 PCs the NMT media transfer driver doesn't work at all - so no installing the 100 new DRM-riddled songs I got with my phone. Perhaps no bad thing either. Their Mac software is unfortunately no better - I asked it to delete a folder of music on my card and it did, but also tried to delete the Nokia internal memory drive C: and also delete the entire SD card E:. Luckily the phone said "I'm not going to do that", so the Nokia Multimedia Transfer app on the Mac reported this as an error ("Can't delete C:\") Nokia's response? "It seems problem is with file in your device. Please reset your phone to factory settings, reformat your SD card, and try again." Looks like they don't know about pathname quoting in Nokia Towers.
I emailed them to say that perhaps they should consider replacing the 'u' in "Ovi Suite" with a 'h'. No reply so far.
Not just the usernames and passwords
The Nokia spokesdroid's claim that the credentials "pass through" their server means they've been running an in-line proxy. That means that it's not just the credentials, but every byte of text in every email sent and received that's also gone through their servers.
If it were Microsoft...
"...interesting to speculate how much bigger this story would be if Microsoft were guilty of the same thing".
The latest MS browser that works on Windows 2000 Server (supported to July 2010) is IE6 (no doubt still in use also on many XP systems).
In IE6, if you select Tools / Show Related Links then (even if you close that pane), on subsequent use of Ctrl-R (to refresh), IE6 silently sent a clear-text copy of the request (including any "query string" or form data) to the site indicated in C:\WINNT\Web\Related.htm. This used to specify http://related.msn.com/related.asp, which redirected to a site within alexa.com but on my system today, I see that it now directs to google.com.
This (reported June 2003) happened even if the intended communication was via SSL, but it created no great excitement.
I checked again today (on a fully patched Windows 2000 Server). Sure enough, IE6 silently sends Google a clear-text copy of the request (passwords and all).