05 Jan 2006 | Stream

Netvibes is dangerous

Netvibes is a nice and well designed start page, better than Google's Personal Page and Microsoft's Windows Live. It can be a good application for one who doesn't read more than ten feeds (otherwise a real feed reader is a must-have). In addition to feed reading, they provide some interesting add-ons, like web notes, price watch, To Do list, and mail reading...

Yes, they provide a module for reading a Gmail, Yahoo! Mail, or any other POP3/IMAP4 account. And I find it to be a great danger for anyone who uses it, especially including those hundreds of unaware users.

There are two major issues about it. First of all, in order to use the mail reading module, one must provide login and password. No service should ask one for private passwords to other services. In case of Netvibes, they ask for such a password and do not explicitly state nor describe the further authentication and authorization process. The main problem here is that, at the time of this writing, they only use insecure HTTP protocol instead of encrypted HTTPS!! This means that your mail login and password are being sent over an unencrypted channel between your and Netvibes machine. The simplest solution for this is to just enable HTTPS, but instead they wrote the following in their Terms of service:

Your use of the Service is at your sole risk. The service is provided on an "as is" and "as available" basis.
Oh, they just forgot to emphasize "your sole risk" ;).
You understand that the technical processing and transmission of the Service, including your Content, may be transfered unencrypted and involve (a) transmissions over various networks; and (b) changes to conform and adapt to technical requirements of connecting networks or devices.
Nope and sorry, but I don't understand why do you send people's passwords over unencrypted channels.

Here is a sample transmission, dumped using Firefox Live HTTP Headers (emphasized text shows the danger):

http://www.netvibes.com/securePassProxy.php

      POST /securePassProxy.php HTTP/1.1

      Host: www.netvibes.com

      User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051111 Firefox/1.5

      Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9, text/plain;q=0.8,image/png,*/*;q=0.5

      Accept-Language: en-us,en;q=0.8,pl;q=0.5,uk;q=0.3

      Accept-Encoding: gzip,deflate

      Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7

      Keep-Alive: 300

      Connection: keep-alive

      Content-Type: application/x-www-form-urlencoded

      Content-Length: 65

      Cookie: ---CENSORED PRIVATE DATA---

      Pragma: no-cache

      Cache-Control: no-cache

url=https%3A//MyLogin%3AMyPassword@mail.google.com/mail/feed/atom

      HTTP/1.x 200 OK

      Date: Wed, 04 Jan 2006 20:55:32 GMT

      Server: Apache

      Expires: Thu, 19 Nov 1981 08:52:00 GMT

      Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

      Pragma: no-cache

      Keep-Alive: timeout=2, max=100

      Connection: Keep-Alive

      Transfer-Encoding: chunked

      Content-Type: text/xml

Secondly, I just don't trust and don't use a service which asks me for my private passwords. Besides the technical danger already explained above, there is a question do they or how they store people's passwords on their machines. This is a proprietary application, thus we don't know their server-side code, but even if we knew, it just wouldn't make much difference. At the time of writing this post, their Privacy Policy says: Netvibes will never sell, rent or share your personal information, especially your e-mail addresses, with any third parties for marketing purposes without your express permission.

Good, they emphasized especially your e-mail addresses , but no explicitly stated about mail logins and passwords. I personally find it more important than the problem of giving my e-mail address to a spammer. Spam is easy to ignore, but what about logging into people's accounts? They already have a nice collection of logins and passwords and almost all mail services do not state the last login time/IP address. So it's fairly easy to read people's mail ;). You can also imagine what could happen if somebody cracked into their machines...

Okay, perhaps I'm just exaggerating the problem and I really, really want to believe that it is not their intention to do such malicious things. I'm sure they just wanted to make people's life easier, but they simply forgot that the risk is *very* high.

Besides these serious flaws, Netvibes is still an interesting service -- just do not use its mail reading modules! :-)