The APOP protocol allows remote attackers to guess the first 3 characters of a password via man-in-the-middle (MITM) attacks that use crafted message IDs and MD5 collisions.
mozilla any news on this one?
Upstream seems to ignore this bug. No distro has issued a security advisory.
(In reply to comment #1) > mozilla any news on this one? > This is such a minute issue that upstream is not gonna bother with it. Reason being that every user should know that a 3 letter password is shit to begin with, and the fact that is the first three characters give up the actuall password the users should be compromised.
Passwords don't need to be of 3 characters length or less to be affected by this. Brute force and dictionary attacks would be much easier.
This is being handled in bug 180436 *** This bug has been marked as a duplicate of bug 180436 ***