Security warning for portable PopMan

General discussion about PopMan.

Moderator: Christian

Post Reply
kea
Posts: 2
Joined: 16 Oct 2007, 12:51
Location: Sweden
Contact:

Security warning for portable PopMan

Post by kea »

Using PopMan as portable makes it possible to put it on a USB flash drive and check your mail anywhere. But if you lose the flash drive, or if someone steals it, there is no protection for your mail accounts.

The password that is supposed to block illegal opening of PopMan is depending of only two lines in PopMan.ini, and the ini file is not protected with any password. Under [Settings]:

LastKW=1
CurrPd=fl5aZQ==

where fl5aZQ== is the encrypted password.

So let's pretend that I am the thief that stole the USB flash drive.

Now I would change those two lines to

LastKW=0
CurrPd=

and save PopMan.ini. Then I can open PopMan without using any password, with access to all the mail accounts. The passwords for the accounts are still hidden with dots, but they can easily be retrieved with the free and portable X-Pass.

Then I have all the information I need to check and read all the mail on all the accounts on the stolen flash drive. If I do that with a mail client set to leave the messages on the server, there is practically no risk for disclosure!

Kea
Post Reply