Smartermail Version 16.X - username and password exploit
Problem reported by Jade D - 12/14/2017 at 12:24 AM
Not A Problem
For SmarterTools Security team - ticket 28A-21C4E234-0058
For the community - ensure that your webmail interface redirects to https ASAP.
There is an issue with Smartermail 16 that allows for credentials to be sent via plain text (unencrypted) - exposing usernames and passwords.

4 Replies

Reply to Thread
Tim Uzzanti Replied
Employee Post
It is not uncommon.  It is how almost all products POST to API's and require / demand HTTPS!
No customer should run a mail server without HTTPS enabled and required!
Also, most synchronization protocols for mail used over the Internet are the same way.  It is for that reason HTTPS / TLS etc. should be enabled.
Tim Uzzanti
SmarterTools Inc.
(877) 357-6278
echoDreamz Replied
Yep - We have rewrite rules for our common hostnames that automatically redirect to HTTPS when used.
Jade D Replied

When will Smartertools resolve the issue?

Stating that one needs to utilize SSL / TLS because a portion of your code posts usernames and passwords in plain text is not a fix at all.

Jade D Replied
A sample where credentials are sent via plain text, you should consider the following
SmarterMail Credentials leak

Reply to Thread