Anyone can access your Yahoo mail on iPhone

News
By published

Security firm finds iPhone, Yahoo email security problems

Don't use your Apple iPhone to access your Yahoo Mail account, security firm Isode says

If you have a Yahoo email account and push email from it to your Apple iPhone, you may unknowingly be compromising your security, Tech.co.uk has learned.

With non-Yahoo email accounts, the Apple iPhone uses IMAP (Internet Mail Access Protocol) to push emails, which polls emails from the server so you need to wait to see new messages.

With Yahoo Mail , however, the Apple iPhone authenticates by combining a proprietary protocol called XYMPKI, with IMAP, according to software firm Isode and its email security expert Dave Cridland .

Yahoo does not provide a general IMAP service - they use IMAP only for iPhone access and although the iPhone supports TLS (Transport Layer Security), Yahoo! IMAP does not, which leads to a so-called replay attack. Such attacks makes you vulnerable as someone could be tricking the domain name server, pretending to be Yahoo's email server.

Eavesdropping

This could lead to anyone being able to eavesdrop on the email authentication exchange when your emails are pushed to your Apple iPhone, especially when using any open (public or private) Wi-Fi hotspot. The hacker can then gain full access to your email account until you change your password. Isode said on its website that it "would advise against using the Yahoo service with an iPhone, because of this security risk".

If Apple and Yahoo had supported TLS standards in this case, replay attacks wouldn't be possible, Cridland wrote on his blog . Or the two firms could have developed "some other proprietary mechanism that actually offered real security".

"But they didn't. Because they don't, apparently, give a flying fuck about basic security, standards, or indeed anything much other than how to look cool. I don't know why I'm so angry about this, given I don't own an Apple iPhone, but it's a further let-down from people who really ought to know better," Cridland wrote.

As it stands, the Apple iPhone uses the XYMPKI proprietary software developed by Apple and Yahoo. "Had Apple and Yahoo chosen to use the existing, open-standard, Lemonade protocol suite, this simply couldn't have happened," Cridland concluded.

See more News about Phones
TOPICS
Anna Lagerkvist
Latest in iPhone
iPhone 16 Pro Desert Titanium in hand
I think the rumored iPhone 17 Pro redesign looks great – but is it Apple enough?
Apple iPhone 16 Review
New iPhone 17 report lends weight to rumors of major display and camera upgrades, and a pricey Apple foldable
Apple iPhone 16 Review
The latest iPhone 18 leak hints at a major chipset upgrade for all four models
Google Pixel 9 Pro Fold main display opened
Apple is rumored to be prioritizing battery life on the foldable iPhone – which could also feature a liquid metal hinge for added durability
The home screen on an iPhone 16e smartphone
I think the iPhone 16e is too expensive – and as it turns out, so does nearly everybody else
Apple iPhone 16 on orange background with big savings text overlay
You can get a free iPhone 16 Pro Max without a trade at Verizon right now - with one minor catch
Latest in News
DeepSeek
Deepseek’s new AI is smarter, faster, cheaper, and a real rival to OpenAI's models
Open AI
OpenAI unveiled image generation for 4o – here's everything you need to know about the ChatGPT upgrade
Apple WWDC 2025 announced
Apple just announced WWDC 2025 starts on June 9, and we'll all be watching the opening event
Hornet swings their weapon in mid air
Hollow Knight: Silksong gets new Steam metadata changes, convincing everyone and their mother that the game is finally releasing this year
OpenAI logo
OpenAI just launched a free ChatGPT bible that will help you master the AI chatbot and Sora
An aerial view of an Instavolt Superhub for charging electric vehicles
Forget gas stations – EV charging Superhubs are using solar power to solve the most annoying thing about electric motoring
More about iphone
The iPhone 16 Pro Max and Samsung Galaxy S25 Ultra

5 things I want from the iPhone 17 – or I’m out and back to Android
iPhone 16 Pro Desert Titanium in hand

I think the rumored iPhone 17 Pro redesign looks great – but is it Apple enough?
Cybersecurity

Why OT security needs exposure management to break the cycle of endless patching
See more latest
Most Popular
Nimo N172 laptop
This obscure laptop brand sells a 64GB AMD Ryzen 9 laptop for just over $700 which is faster than the Apple's M4 CPU
DeepSeek
Deepseek’s new AI is smarter, faster, cheaper, and a real rival to OpenAI's models
Student with headphones around her neck using a phone while sitting in a cafe in front of a laptop
One of the richest men in the world castigates the billions of dollars spent on buying laptops for US classrooms with no apparent improvements
An aerial view of an Instavolt Superhub for charging electric vehicles
Forget gas stations – EV charging Superhubs are using solar power to solve the most annoying thing about electric motoring
Tesla Model Y 2025
Tesla’s EU sales are in freefall as VW races ahead, but the Model Y could change all that
Asus NUC 15 Pro+
Asus unveils its most powerful mini PC to date — but I don't think the Intel-powered NUC 15 Pro+ will compete with Strix Halo models
HDD
Seagate teams with Nvidia to build an NVMe hard drive proof of concept, more than 3 years after its last effort
Open AI
OpenAI unveiled image generation for 4o – here's everything you need to know about the ChatGPT upgrade
NetSuite EVP Evan Goldberg at SuiteConnect London 2025
"It's our job to deliver constant innovation” - NetSuite head on why it wants to be the operating system for your whole business
Apple WWDC 2025 announced
Apple just announced WWDC 2025 starts on June 9, and we'll all be watching the opening event