Au smartphone "IS01" is a problem in which the content of BCC is disclosed to recipients, NTT docomo's "LYNX (SH-10B)" also occurs

Au's "IS 01" announced that OS update to Android 2.1 or later will be aborted, When sending mail using the standard mail application, when entering an address in BCC, the inconvenience that the information is displayed in the header information of the receiving side under certain specific conditions is clearly indicated by the story from the reader became.

Even if you are not a user of IS01, if you are using PC mail everyday, you do not want to show it to your opponent, so you can see that the contents of the BCC you use is a bottleneck that is quite an emergency I think that. When I contacted KDDI based on the story from Mr. A on this matter,It certainly confirmed the problem related to BCC and the improvement of this problem is included in the contents of the update announced todayAlthough it got the answer of, it is the present condition that only the trouble of another case is stated on the page of the official website informing of the update.

In addition, NTT docomo has been released from almost the same specification "LYNX (SH-10 B)I also asked if there was a similar problem, and it became clear that the same event as IS01 occurred. This is also said to be improved by the update announced today, so IS01 or LYNX (SH - 10B) users need to update as soon as possible.

From the editorial department to the two PR careers of the two carriers to confirm the facts, the circumstances when the reader inquired KDDI about the problem of BCC and the correspondence of it to KDDI is from the following.Details of the trouble that BCC will go through to the receiver

Notification of Mobile Update | Mobile Update | au by KDDI


According to a story from Mr. A, the content of this update is that "E-mail ([email protected]) may not be received." According to a story from Mr. A, the e-mail It also includes an update on the problem that the address will be disclosed to the receiving side. The following is the content actually experimented by Mr. A using IS01.

Then I will follow the test procedure by Mr. A. Firstly, I choose to create PC mail.


Specify multiple mail addresses as BCC.


Even if you look at the detailed address display of the address, surely Gmail is input to To, Yahoo! Mail to BCC and SoftBank mobile mail are input.



Enter "subject" as the subject, "test mail" as the body text.


And send mail. E-mail of 22:16 sending at the top row of the outbox is applicable.


When viewing the received mail on the browser with Yahoo! Mail that was set in BCC, you can see that the part of BCC has become clogged. Depending on the mailer, there may be a function of cutting BCC by itself, but if that function is not attached, it will become visible like this if it does not have that function.


Yahoo! Mail Beta seems to see the contents of BCC when looking at the detailed header. Also, since the reception date and time of this mail is exactly the same as 22:16 which is the transmission date and time of the mail sent from IS01, you can confirm that it is the same mail.


The bug reported this time is that it is an event that occurs when setting up an account of PC mail in the application "mail" which is standard equipment installed in IS01 and sending it. Mr. A sent a Yahoo! Mail and a Gmail test, Yahoo! Mail displayed BCC information, Gmail seemed to delete the BCC address on the server side, and the event was not reproduced about.

However, this seems to be reproduced not only in Yahoo! Mail but also in other domains, and if you use another mail client, even if you use the same Yahoo Mail smtp server, BCC will appear in the mail header Since it was not included, it is pointed out that there is a high possibility that it is a malfunction of IS01's mailer.

◆ KDDI's View on Defects

Therefore, based on the problem of BCC, I directly contacted KDDI public relations about this mobile phone update of IS01.

GIGAZINE:
As for the contents of the IS01's mobile phone update announced today, there are cases where "E-mail ([email protected]) may not be received." What kind of situation is this concretely .

KDDI PR:
This is a trouble that if you receive a mail that meets certain conditions, you will not be able to receive all the mails that should have been received since that mail, even if you make a new inquiry, it will be displayed as not applicable.

GIGAZINE:
What is a specific condition?

KDDI PR:
There are concerns that it will be abused by third parties if conditions are disclosed, so we are refraining from publication for details.

GIGAZINE:
By the way, although the user has reported the trouble that the mail address entered to BCC by IS01 standard mail application will be unintentionally disclosed to the receiving side, this update also includes improvement of this problem Is it?

KDDI PR:
Yes, this bug transmits PC Mail from "Mail" which is the standard application of IS 01, and designates BCC as the destination, the mail address which should originally be hidden will be displayed in the header information of the receiving side Thing. However, this also happens under certain conditions, which happens when the setting to delete / not display the BCC information header is not made on the transmitting / receiving server on the transmitting side or the receiving server on the receiving side is. This event will also be improved by this mobile update.

GIGAZINE:
I think that the problem announced on the official website is also important, but from the security point of view it seems that this BCC issue should be announced, but there are plans to post it on the website in the future Is it?

KDDI PR:
Even here, there is no fear of spreading to some kind of abuse by publishing, so there is no plan to release on the website. We will contact you to cooperate with the update by e-mailing to individual users who use IS01 individually.

Although it is a little off the main line of this time, although the problem which is currently being published on the homepage also appears to be a concise and significant problem with the published content, when hearing the details, I was surprised that it was quite a ridiculous thing that the mail receiving function subsequently got out of function if it received mail that satisfied.

◆ NTT Docomo's View on Defects

Next, I asked the docomo Public Relations Office about "LYNX (SH-10B)" which was released from NTT docomo, which is the same model today as well as announcing software update.

Software update information of LYNX SH - 10B | Customer support | NTT DoCoMo


GIGAZINE:
I heard that there is a problem that the mail address entered to BCC is unintentionally disclosed to the receiving side to IS 01 which is released from KDDI, but the same phenomenon also occurred in LYNX (SH - 10 B) Is it possible to get it? Although there was no such description on the homepage.

NTT DoCoMo PR:
As a result of checking, it turned out that similar phenomenon could occur also in our company LYNX (SH - 10B).

GIGAZINE:
Will you announce on the website etc. in the future?

NTT DoCoMo PR:
There is no plans to announce this phenomenon individually. This is because it is concerned that it is a very rare phenomenon and that it will be abused by publishing. This issue will also be improved with the software update announced today. Also, it was said that events on KDDI's homepage are not reproduced at our terminal.

Common to both KDDI and NTT DoCoMo, regarding the trouble of BCC, it is "to be generated under very limited conditions" and reasons that "abuse of a third party is concerned about by announcing" It is an opinion that it will not publish from.

◆ Interaction between A and KDDI in BCC malfunction

Well then, Mr. A (assumed to be Mr. A) will follow the details of the detailed things up to GIGAZINE talent. From late November to yesterday, Mr. A and KDDI had been interacting.

November 19, 2010
A reported this bug to KDDI Customer Center.

November 20, 2010
KDDI au E-mail A reply from Ms. A to Mr. A, as a result of the test using a mail address "@ ezweb.ne.jp" and "@ auone.jp" handled by au, BCC was not displayed without problems Contents.

November 22, 2010
Reply from Mr. A to KDDI. At this point we are sending data of experiments using Gmail and Yahoo! Mail introduced at the beginning to the KDDI side.

Since the content that your company has verified is so to speak,
I think that the backing is weak as evidenced evidence.

Originally, I also noticed this bug, IS 0
When sending from the mail client, from the person you received
It depends on being noticed.

So, this time, Yahoo! Mail's SMTP server and POP server
I am using the test to send evidence of the test,
It happens even on different POP servers.

It is noticed that Mr. A also noticed for the first time at the business partner of the work that we realize that at this point there are cases of considerable problems as a leakage of personal information.

November 23, 2010
KDDI au E-mail Reply from the inquiries window that you would like us to cooperate with KDDI's equipment investigation

November 24, 2010
Mr. A mails to KDDI about usage status of IS 01. I agree with the equipment survey on the test mail.

November 24, 2010
A person calls from Mr. A from the customer consultation department person who is different from the person in charge who was e-mail.

November 25, 2010
While keeping investigating and verifying, person in charge is unified to person in charge of customer consultation department. After that, it means that it was only a phone call.

And from here it was shifted from mail exchanges to telephone conversations, but the contents are quite ridiculous. You can see a glimpse of that exchange during reply to the mail window written by Mr. A after receiving the call.

Often thank you for your help.
Yesterday Thursday, Thursday, Thank you for calling me about the progress of this case.

When I got a phone call, I was screaming at work, so I could not afford to think too much,
We have purchased IS01 with the intention of using it in business,
Since it is unbearable for business use in a state where BCC is also exposed to the point specified by To,
I can not use it as intended for purchase and I am in serious trouble.

We are engaged in the development of the system as a business,
In fact, I noticed that this customer was pointed out by the customer I sent, the management system of our personal information was also suspected.

Even if you asked it "How much is the actual damage?"
Based on the calculation that it would not be able to answer "How many yen is damaged right now"
I can only think of a question that neglected a customer.

As KDDI, if you are a large company and a business in the field of communication and systems,
How careful and careful handling of the handling of personal information should be dealt with
I think that you know it seriously.

When I got the first reply, I was told that "no problem as a result of verification"
I thought that KDDI would be in trouble if he was stuck in a corner,
For testing, I have a personal private email address
Despite having bothering to bother to cooperate by taking evidence until then,
In the proposal like yesterday, we received only the impression of a corporate constitution that neglected personal information,
I can not accept conviction.

Although it is said to correspond by updating, IS 01 has ever sent mail trouble etc.,
I feel that it is a model that I can use with confidence and unlike my previous trouble sending mail,
This time it is a more serious situation involving personal information,
Despite the fact that personal information remains in a state of leakage
I feel that no announcement is a serious problem that neglected the customer.

I noticed this problem, so I went to BCC of the mail client of IS 01
Although I will not send it with an address that I should not put in,
In response to what customers noticed do,
Is not it necessary to call for some kind of attention?

Also, as mentioned above, IS01 feels unable to use with confidence,
Could you prepare some alternative machine equivalent to IS 01?

Thank you for your consideration.

First of all, in response to an inquiry from an individual user, it is quite an unrealistic question to say "How much is the actual damage?" What I lost in this exchange is not intangible, but rather intangible as trust with business partners, and I can not help to say that the amount of loss is quite essential.

In addition, although it is not written in this sentence, in response to the question from Mr. A 's how much mail flowed out, it is not how much trouble it is, how many yen is it?) KDDI side The person in charge of the proposal has proposed that "How about with au 5000 points?" It is impossible to think that it is very a customer support center's intention to replace the problem that personal information has leaked with the magnitude of the damage amount and try to clean up with as many points of flexibility as possible.

December 13, 2010
In response to the protest from Mr. A above, there is a telephone call from the KDDI side. Here is the interaction recorded by Ms. A. In parentheses, supplement by Mr. A is written.

KDDI:
The content is "apologize for being a rude manner that it could be received even if asking for the damage amount as it would not be able to calculate the damage amount." "Why not publish the bug?" "Can not prepare alternative machines" It is three points.

Mr. A:
Why (BCC trouble) is not announced?

KDDI:
There are few users who use BCC, so we can also identify that user so we will correspond individually. And, although it is not possible to cope with the update, in order to prevent the bug of BCC from being abused on the contrary by publishing it.

Mr. A:
Is it a matter of having less subject users? I am also developing systems, but normally, even if the security hole is found in the OS etc., even if the patch can not be released, I will publicize the security hole and urge the user to attention, but that point What do you think?

KDDI:
As I mentioned earlier, we are concerned about abuse.

Mr. A:
(Do you not understand?) I do not use the BCC function because I noticed this bug, but sometimes users who do not know it send out newly and personal information leaks out?

KDDI:
You're right.

Mr. A:
So how do you deal with such users?

KDDI:
............

Mr. A:
Is not that customer downplayed? In order to say such a thing, I can not think that it is a corporate constitution that neglected customer's personal information, but I just do not want to be ashamed.

KDDI:
Even though I do not want to be ashamed of that kind of thing, I can not accept it, but I can not decide it individually. We will respond as your opinion. I am an employee of KDDI, but myself is also au user who has three au mobile phones, au user, I am sorry that this time it is inconveniencing the inconvenience caused by KDDI correspondence I think without it.

Mr. A:
Huh .... ('Д `) Ha ... (Do you officially acknowledge that you do not want to be ashamed of being inadvertently? And no, no one wonders if you are a user of KDDI, I have not heard of it yet ... it will not be a talk)

KDDI:
It seems that you can not be convinced if that is it

Mr. A:
I can not accept it.

KDDI:
Although it is the third point, we are sorry, we can not prepare for alternative machines.

Mr. A:
Yes……

KDDI:
Then, we will terminate the call. Thank you au by KDDI in the future.

Mr. A:
Yes. (No, it's enough)

Although it seems to be quite shocking to say that "Although it is not possible to take a shame but I can not take it, it is impossible for me to decide individually," but the correspondence to the problem at the KDDI side is largely this time It was similar to the inquiry made in the editorial department.

December 15, 2010
It is reported from KDDI side to Mr. A that it will make corrections for BCC trouble with mobile update.

As you can see from this exchange, at least on November 19, KDDI grasped the trouble in BCC, so even if today's update is reached it will not mention the contents of this trouble in the details of the update, Although it does not seem to be a problem, it is quite fatal as a malfunction of PC mail on smartphone.

When using an Android smartphone as a business use, the problem of BCC this time is unavoidable even if it is suspected by customers or business partners regarding the handling of personal information of the person like Mr. A's case, even once in business If you have used BCC, you can imagine that you were in a situation where you were in the situation that you were using BCC but were treated as CC and all the destinations were visible. Is not it?

However, what seems to be the most problem is the terminal which happened to have brothers machine and it is sold across two companies, but as it was understood, in response to this bug, recognition of information security of two mobile carriers It is thought that the sweetness of it has been revealed.

I think that it should be done more thoroughly, but at present it is unlikely that there will be no way to self-defend other than updating it at once when the user announces the update himself ....