VYPR
← All advisories
Unrated severityNVD Advisory· Published May 11, 2005· Updated Apr 16, 2026

CVE-2005-1505

CVE-2005-1505

Description

The new account wizard in Mail.app 2.0 in Mac OS 10.4, when configuring an IMAP mail account and checking the credentials, does not prompt the user to use SSL until after the password has already been sent, which causes the password to be sent in plaintext.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Patches

Vulnerability mechanics

Root cause

"The account wizard validates IMAP credentials by logging in over plaintext IMAP before giving the user the option to enable SSL."

Attack vector

An attacker on the network path between the victim and the IMAP server can capture the plaintext password. The wizard first asks for the incoming mail server, username, and password, then immediately attempts to validate the credentials by connecting to the IMAP server on port 143 (insecure) without SSL [ref_id=1]. Only after this validation step does the wizard ask whether to use SSL, at which point the password has already been transmitted in cleartext [ref_id=1].

Affected code

The vulnerability is in the new-account wizard of Mail.app 2.0 (Mail 2.0) on Mac OS 10.4. The wizard's account validation logic attempts an IMAP login before presenting the SSL option to the user [ref_id=1].

What the fix does

No patch is included in the bundle. The advisory recommends that the wizard should either open a socket without logging in, or ask whether to use SSL before validating the account settings [ref_id=1]. Apple did not provide a public response to the bug report filed on 01-May-2005 (Problem ID: 4104391) at the time of disclosure [ref_id=1].

Preconditions

  • configThe victim's email ISP must provide an IMAP server on port 143 (insecure) alongside IMAP-over-SSL on port 993
  • networkThe attacker must be able to sniff network traffic between the victim and the IMAP server (e.g., on a local network or compromised gateway)
  • inputThe victim must be creating a new IMAP account via Mail.app 2.0's wizard (first launch or File > Add Account)

Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.