Security - Windows Phone fails to check certificate Common Names when synchronising email using SSL
Windows Phone currently suffers from a security vulnerability when synchronising email to and from POP3 / IMAP / SMTP servers using SSL, according to a recent filing over at the US-CERT (United States Computer Emergency Readiness Team) website. The issue is pinpointed to Microsoft's mobile OS not verifying CN (Common Name) of server certificates when connecting to servers using SSL.
This opens up a potential threat from a man-in-the-middle attack, which would enable someone to view login or session data in the corresponding protocol (SMTP, POP3, etc.) Good news is Microsoft is reportedly aware of the security vulnerability and plans to release an update to address the issue.
Microsoft is looking to crank up security in its products, particularly Windows Phone 8. We've previously looked at how the company will be improving security in the next major version of Windows Phone.
Source: US-CERT; thanks, Yotsuba, for the heads up!