Imagine this: a malicious hacker gains access to your e-mail account by getting his or her hands on your username and password from a leaking app, such as Tiscali.

Are you nervous? Palms sweaty? Knees shaking? Probably not.
Now if you had instead been told your credit card information had been leaked, that likely would have spurred an automatic reaction of fear or dread. But take a moment and think about it. Do you realize the amount of information your e-mail account has to offer?
The security threat research team at Wandera has discovered an e-mail username and password leak in a mobile application created by Italian telecommunications company Tiscali.


Tiscali is a large Italian telecommunications and internet provider. It is a widely well-known corporation as it historically provided internet services across the EU, but has since sold off most of its subsidiaries in areas other than Italy. TalkTalk, one of the big 4 telcos in the EU, recently acquired the UK division of Tiscali.
The organization went through a very successful IPO back in October 1999, during the dot com bubble, with a starting price of approximately €46 per share. The price of shares, however, has plummeted now to less than €0.04 per share. Many still utilize Tiscali e-mail addresses as well as employ it as their telecom service provider.


The Leak

The productivity focused app, created by Tiscali, allows users to access their e-mail as well as the top news stories. It also allows individuals to customize the platform to their liking and receive real-time notifications.
Both the iOS and Android versions of the application are using HTTP protocol in order to transmit user information. Specifically, during the login process, users’ account names, e-mail addresses, usernames and passwords are being transmitted in plaintext over the internet, making them easily accessible to any third party.
Making matters worse, once users are logged in, the app continuously authenticates them, meaning their credentials are leaked multiple times over-the-air. This substantially increases the odds of hackers intercepting the information.
The implications of this app leak are even more concerning when taking into consideration the fact that with the knowledge of the victim’s username and password, a cybercriminal can gain full access to the user’s e-mail account.

E-mail hacking

But what’s so concerning about someone gaining access to your e-mail account? Take a quick skim of your mailbox and you’ll begin to see why this is no trivial matter. Your e-mail account can contain everything from your banking information, password reset e-mails, invoices, insurance forms, photos and personal conversations. For many, it literally holds the keys to every electronic facet of their lives.
Moreover, from a business perspective, there’s no end to the confidential information stored in corporate inboxes. Contracts, financial statements, valuable intellectual property, contacts, and calendars are at risk when e-mail credentials leak. This can easily lead to corporate scandal and detrimental financial impacts, as has been demonstrated many times by even some of the most well-known companies.
Sony Pictures, for example, fell victim to a massive scandal when its CEO’s private e-mails were leaked, leading to her eventual resignation. Hackers release e-mails she had sent to fellow executives that were racially insensitive. Inappropriate comments were also made about famous actress Angelina Jolie.
Leaked information and exploitation is only the first concern in the list of dangers associated with e-mail hacking. The second is perhaps even more dangerous. When hackers gain access to e-mail accounts, they also gain the ability to send e-mails from those accounts. This means cybercriminals can easily impersonate the individuals whose accounts they have access to. This can result in phishing e-mails sent out to the victim’s entire list of contacts and the subsequent hacking of even more users.

The moral of the story

The Tiscali e-mail username and password leak is therefore, not something that should be taken lightly. It draws attention to the absolute need for businesses to have a security service deployed on corporate devices that monitors traffic at a data level.
Wandera has already detected a number of enterprise users having downloaded this mobile app who, without the mobile security service deployed, would have made their e-mail credentials vulnerable.
The developers of the Tiscali app are advised to utilize SSL/TLS in order to protect the transmission of personally identifiable user information, session tokens, and other sensitive data to a backend API or web service.

Responsible disclosure

We attempted to contact Tiscali twice over a one month period, notifying them of the data leak both times. We received no response.
[text-blocks id=”threat-advisories”]