Assuming the mailbox hack is not an elaborate ruse, how did they do it?

Almost as bad as the Sprint PCS password reset fiasco that made the news in April, here is the Yahoo Mail password reset screen:

As you can see, you need to know the user's birthday, country of residence, and postal code. Not difficult information to dig up in Palin's case. After you enter this information correctly, you are asked to type in the alternate e-mail address that's associated with the account. But they give you hints -- so if your alternate e-mail was, they would show you s****@a*****.gov.

Assuming you guess the alternate e-mail correctly, Yahoo mails a password reset link to that address. So it's likely that the attacker may have also had to gain access to her alternate e-mail account. Either that, or they exploited a vulnerability in the Yahoo password reset mechanism itself, which seems less likely but not implausible.

So Yahoo itself probably didn't get hacked, per se, even though there will probably be a lot of FUD in the media about that.

Update 08/18/2008 1:00am EST:

Just found this writeup describing how it transpired: Again, not vouching for the authenticity but it does seem plausible, and it's consistent with my password reset theory. I guess my Yahoo account doesn't have a secret question defined so I wasn't presented that option when I tested the reset mechanism earlier today.

Just for fun, here's the list of non-customizable secret questions Yahoo lets you pick from, as of tonight:

And they sure don't make it easy for you to update your secret question, do they? (must be logged in to Yahoo for that link to work)

Veracode Security Solutions
Veracode Security Threat Guides

About Chris Eng

Chris Eng, vice president of research, is responsible for integrating security expertise into Veracode’s technology. In addition to helping define and prioritize the security feature set of the Veracode service, he consults frequently with customers to discuss and advance their application security initiatives. With over 15 years of experience in application security, Chris brings a wealth of practical expertise to Veracode.

Comments (8)

CEng | September 17, 2008 3:52 pm

Chatting w/Billy Rios on Twitter earlier, he pointed out that even though Yahoo requires an alternate e-mail address when signing up for an account <i>today</i>, maybe if you created your account several years ago (as Palin probably did) that requirement didn't exist. In which case, maybe the birthday, country, and postal code would have been sufficient to carry out the password reset. Anybody with an old Yahoo Mail account to test this theory?

cwysopal | September 17, 2008 8:03 pm

I just tried this with my Yahoo account which isn't more that 3 or 4 years old. When I say I forgot my password it asks if I can still access my alternate email account. I can opt "no" which is a major security downgrade. Then it asks me my secret question such as pet's name. If I know the answer I get to reset my password. My guess is the attackers did this and selected that they couldn't access the alternate email account. Then they guessed the answer to Gov. Palin's secret questions. If it was "what is your pet's name", that information may be public. I think it is a bad idea to do anything more than personal, friendly chit chat on Yahoo Mail.

cwysopal | September 17, 2008 8:58 pm

A poster up on claims this is how he did it: after the password recovery was reenabled, it took seriously 45 mins on wikipedia and google to find the info, Birthday? 15 seconds on wikipedia, zip code? well she had always been from wasilla, and it only has 2 zip codes (thanks online postal service!) the second was somewhat harder, the question was “where did you meet your spouse?” did some research, and apparently she had eloped with mister palin after college, if youll look on some of the screenshits that I took and other fellow anon have so graciously put on photobucket you will see the google search for “palin eloped” or some such in one of the tabs. I found out later though more research that they met at high school, so I did variations of that, high, high school, eventually hit on “Wasilla high” I promptly changed the password to popcorn and took a cold shower…

MikeA | September 17, 2008 11:56 pm

Perhaps a question, one that I've not heard many people ask during all this is... Could it be an insider attack? All these other attack methods are certainly a good possibility, but there's plenty of people inside Yahoo, lots "democratic" in nature, and I'm not sure about Yahoo, but most companies are pretty open from the inside. There's certainly a (perhaps small) likelihood that someone inside Y! could have "thrown a switch" or "leaked info" about the account. It's not as if Y!'s don't have enough to be pissed off about already, and job security isn't exactly top of the agenda either. Just a thought.

CEng | September 18, 2008 12:08 am

@Chris Wysopal: Weird, when I tried that "can't access alternate e-mail account" option, it told me my password couldn't be reset online. Maybe I don't have a secret question defined. @MikeA: Sounds like this was so easy that no insider info was required.

MikeA | September 18, 2008 4:19 am

Yep, after seeing the new details come out, I agree it doesn't look like an inside job at all - as you said Chris, it was far too easy (which is sad in-and-of-itself). If these people get in they will be in charge of our nuclear codes. Who's betting that it won't be something like '1234' ;)

MikeA | September 18, 2008 4:29 am

Crap, sorry, met to post this as well. Apparently the guy was behind a proxy (says so in his write up), and could easily be traced now. Also seems that nothing substantive was found in the account because it was the account instead of - don't know about you, but I separate out email accounts to work/personal, and the wrong one (well, at least the one everyone was speculating about the contents) was hacked. However, I can't imagine that having access to one wouldn't get you access to the other - I could easily see password/information sharing going on.

Anonymous | September 18, 2008 4:59 am

Anonymous is not a group of hackers - it's a leaderless collective of like-minded individuals, from all walks of life.

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.