How Does Netvibes Store Our Email Passwords?

Dec 18, 2007 by Matt | Posted in General 11 Comments

The popular start page Netvibes features a widget that automatically checks your email for new messages. For it to do this, you must supply your email address and it’s password (as well as your mailserver, if you use POP or IMAP).

Here’s what I want to know: How are they storing our passwords? We’re giving them the login details to our email accounts, and they haven’t told us how they’re storing them!

I assume they aren’t in plain text (they’d better not be!), but how does their widget work, then? They can’t just decrypt an md5 hash when they need to access your account (or can they, somehow?). If they’re encrypting the passwords, how are they going about it? Are they using a salt? Are they using md5 or sha1? How secure is the server these passwords are sitting on?

Obviously they can’t tell us everything, as that would be a security risk. However, I think we should know a few things about how are email login details are being stored.

  • http://www.ladadadada.net Dave

    It’s unlikely that your passwords are encrypted when stored on their server and even if they were encrypted, it wouldn’t help.

    The essence of the problem is that they need access to your decrypted password every five minutes in order to check your email. They COULD encrypt it quite easily… creating a random key the same length as your password and XORing your password with it before storage would render the encrypted password completely secure… but where do you store the key ?

    The key has to be available to the same application that has access to the encrypted password in order to decrypt it. That would be like storing your house keys under the doormat. Actually, it’s more like storing your house keys in the lock of your front door.

    Because they need your plaintext password to check your account there is little point in encrypting it as they need to store the decryption key with the encrypted plaintext.

    The only thing they can do is try to protect the box from malicious access to the plaintext passwords. Encryption will not help in this case.

    There is no known way to decrypt md5 or sha1 other than by brute force. This is a design feature of both of these hashes.

  • http://www.webmaster-source.com Matt

    That’s what I thought. Scary, isn’t it? :D

    Thanks for the well written comment.

  • HeBu

    I contacted Netvibes on this and they told me, that the passwords of the Twitter & mail widgets are stored with a two-way encryption, with “only” three Netvibes workers knowing the key to it.

    In fact a bit scary. Wouldn’t it be much more secure, if they used OAuth?

    Does anyone know something about how PageFlakes does the storing of the login data?

    • http://www.webmaster-source.com Matt

      OAuth *would* be more secure, in that nobody sees your password and you can easily revoke access, but there’s one problem: how many email providers offer OAuth authentication? (I don’t even know if the POP/IMAP protocols would support it…)

      • HeBu

        At least for Twitter it would be a more secure way to connect. For mail accounts it would be nice to have the option to enter the password once per session, so it would not be stored in the database, only client-side.

  • Jb

    So I am an idiot and gave my passwords to Netvibes for gmail and my msnlive id and now BOTH my email accounts have been hacked to send spam. I’m currently locked out of he msn account – someone or something has changed my password and I can’t get in. DON’T Do It!

    • HeBu

      I really don’t think Netvibes abuses or gives away passwords of their users. But there were some recent Hotmail account hijacks by spammers (about half a year ago) and maybe you used the same passwords for Gmail?

      But to be sure to leave Netvibes in a clean status: I entered some fake account data (username and password) in my mail and twitter widgets, before deleting them. So I hope, my logins were overwritten with nonsens data in the Netvibes database.

  • vincentweb

    is this serious? i’m just start using this netvibes and i have all my social networking in netvibes, FB, Gmail, Hotmail, Yahoo, Twiiter and many more…i almost expose all my password to netvibes. pls tell me its ok else i’m going to delete the widget away frm my acc.

    • frank

      vince,

      Change all of your passwords immediately!

  • bw

    When using Fiddler to inspect the dataflow from my browser I also observed the following:

    * regarding the popmail widget: the message subject information is NOT ENCRYPTED when it comes back from the Netvibes server. Anyone can read the subjects of your mail.
    * even more scary: when logging in into Netvibes your Netvibes username and password are NOT encrypted before sending to Netvibes. After someone has sniffed your username/password at the internet he can use all your accounts (mail, google etc) without knowing your password.

    Be aware!

  • slacker

    Just signed up for netvibe using my Hotmail account.
    two days later someone is sending spam from my Hotmail account.
    Never had my Hotmail account hacked before.
    Oh please bring back google reader.