bodyType

customContents

entityId

entityUuid

articlePageQuery

filter

article

articleBaseAdvertisingInfoArticle

articleListArticle

articleSeoArticle

hooksArticleAcknowledgementGateOverlayArticle

hooksTrackPageViewArticle

hooksContentInterestArticle

articleLinkingDataContent

hooksAmpRedirectArticle

articleSchemaContent

liveArticle

advertZone

sentiment

contentLock

topics

types

sections

paywallTypes

createdDate

publishedDate

urlAlias

moreOnThisArticles

sponsorType

commentCount

authorLocations

authors

corrections

displaySlideShow

multimediaEmbed

printHeadline

seriesContainer

articleSpeeches

socialHeadline

headline

images

flag

firstTopic

glossary

flattenTypeIds

image

relatedLinks

relatedNewsletters

__typename

sponsor

pdfFiles

seriesReverseOrder

series

disableOffPlatformContent

published

updatedDate

summary

subHeadline

body

keywords

readingTime

customTimezone

liveContents

Security flaws in Yahoo!'s mobile mail service in Taiwan appear to have left some users' e-mail accounts exposed for more than a week.

People using Yahoo!'s e-mail service via the WAP (wireless application protocol) gateway of cell phone provider Far Eastone reported being automatically logged on to a random e-mail account when they went to the Yahoo! home page.

The extent of the problem is unclear with both Yahoo! and Far Eastone unable to find the cause or determine how many accounts have been exposed.

The problem was discovered on August 2 when a Yahoo! e-mail account was accidentally accessed from a WAP phone. Ironically, that exposed account belonged to a senior executive of Far Eastone. Inbox, sent mail and even the address book of the user's Yahoo! mail were freely accessible on more than one occasion.

Details of the user's March trip to Bali and book choices at Amazon.com were on display. One e-mail contained files outlining a company human resources policy. 'Please find the most updated file, regards', said the e-mail under the subject line: 'Key talent retention.'

The Far Eastone executive said he understood the concerns of other customers, despite being an employee of the phone operator.

'I think my comment is just like a usual customer,' he said. 'Basically, this is a terrible deviation and it's a problem which shouldn't happen.'

Although more than 50 of his private e-mails were on display, which included sensitive business correspondence, he said the exposure of his Yahoo! account was not a big problem.

'To me, since my Yahoo! is not so important, I use my company account,' he said. 'But the issue is not the content itself, the issue is the security.'

In the course of one week, at least four other Yahoo! e-mail accounts were randomly exposed to a reporter from the South China Morning Post who logged on to the Yahoo! site.

Far Eastone technical support said the problem was Yahoo!'s, not theirs, and that it had been fixed. 'I think this is Yahoo!'s problem,' said a Far Eastone public relations spokeswoman, Melissa Chen.

On Friday, Yahoo! denied responsibility.

'It's not likely our problem,' said public relations representative for Yahoo! Taiwan Maureen Wu.

However, in a written statement yesterday, the company said it was not blaming any operator for the problem.

'This same problem does not exist with other telecom partners,' said Pauline Wong, from Yahoo! North East Asia, based in Hong Kong.

'However, let me confirm again we also did not say that the problem must be with Far Eastone,' she said in an e-mail.

Far Eastone rival KG Telecom said it had not had any similar security breaches with Yahoo!

Experts suggested Yahoo! might be to blame. 'I would say the problem is with Yahoo!,' said Danny Wan, a Sydney-based system engineering manager at security software company Check Point.

Mr Wan said with most mobile Internet systems, security was often not a top priority. Instead, service providers were more keen on getting their services up and running.

'The security answer is an afterthought,' he said.

Tat Hsu, senior manager at Ericsson, which supplied Far Eastone's WAP gateway, agreed the problem appeared to lie with Yahoo!.

'I think it's a problem on the Yahoo! side, not the Far Eastone side,' he said.

Fellow mobile operators Chunghwa Telecom, Mobitai and Transasia also use Ericsson's gateway, but Mr Hsu said that they had reported no problems.

'It depends on how the operator uses the gateway,' he said.

In some cases, operators maintain a database of subscriber's login details for different services, which could include Yahoo!, to enable faster mobile surfing. However, that database is supposed to be inaccessible to third parties.

'Far Eastone should not be allowed to pass on your mobile ID number,' he said.

On Saturday, eight days after the problem first came to light, Yahoo! said it had decided to block Far Eastone WAP customers from accessing its mail site. However, Yahoo! e-mail accounts are still being randomly accessed from Far Eastone WAP handsets.

As recently as yesterday the security gap was still open and random e-mail accounts could still be accessed.

By last night, 10 days after learning of the incident, both Yahoo! and Far Eastone appeared not to have found an answer to the problem.



Yahoo! flaw exposes e-mails