[kmail2] [Bug 487882] New: plaintext HTTP request in kmail-account-wizard

Sat Jun 1 13:58:05 BST 2024

https://bugs.kde.org/show_bug.cgi?id=487882

            Bug ID: 487882
           Summary: plaintext HTTP request in kmail-account-wizard
    Classification: Applications
           Product: kmail2
           Version: 5.24.4
          Platform: unspecified
                OS: Unspecified
            Status: REPORTED
          Severity: major
          Priority: NOR
         Component: general
          Assignee: kdepim-bugs at kde.org
          Reporter: beardwen at gmail.com
  Target Milestone: ---

Summary:
Send a plain HTTP request
(https://github.com/KDE/kmail-account-wizard/blob/master/src/ispdbservice.cpp#L29)
to retrieve the mail server's configuration file in the K-mail account wizard.

May result:
Consider an attack scenario in which the attacker and the victim are both
located in a coffee shop, sharing the same Wi-Fi network. The attacker can
tamper with any content transmitted over the plaintext connection. For example,
specify the target mail server as an attacker-controlled server.

If it is deliberate not to implement HTTPS, what is the reason for doing so?

-- 
You are receiving this mail because:
You are the assignee for the bug.