Assuming the mailbox hack is not an elaborate ruse, how did they do it?

Almost as bad as the Sprint PCS password reset fiasco that made the news in April, here is the Yahoo Mail password reset screen:

As you can see, you need to know the user's birthday, country of residence, and postal code. Not difficult information to dig up in Palin's case. After you enter this information correctly, you are asked to type in the alternate e-mail address that's associated with the account. But they give you hints -- so if your alternate e-mail was [email protected], they would show you s****@a*****.gov.

Assuming you guess the alternate e-mail correctly, Yahoo mails a password reset link to that address. So it's likely that the attacker may have also had to gain access to her alternate e-mail account. Either that, or they exploited a vulnerability in the Yahoo password reset mechanism itself, which seems less likely but not implausible.

So Yahoo itself probably didn't get hacked, per se, even though there will probably be a lot of FUD in the media about that.

Update 08/18/2008 1:00am EST:

Just found this writeup describing how it transpired: http://pastebin.com/f7fb944c5. Again, not vouching for the authenticity but it does seem plausible, and it's consistent with my password reset theory. I guess my Yahoo account doesn't have a secret question defined so I wasn't presented that option when I tested the reset mechanism earlier today.

Just for fun, here's the list of non-customizable secret questions Yahoo lets you pick from, as of tonight:

And they sure don't make it easy for you to update your secret question, do they? (must be logged in to Yahoo for that link to work)

Veracode Security Solutions
Veracode Security Threat Guides

Chris Eng, vice president of research, is responsible for integrating security expertise into Veracode’s technology. In addition to helping define and prioritize the security feature set of the Veracode service, he consults frequently with customers to discuss and advance their application security initiatives. With over 15 years of experience in application security, Chris brings a wealth of practical expertise to Veracode.

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.

 

 

 

contact menu