Assuming the mailbox hack is not an elaborate ruse, how did they do it?
Almost as bad as the Sprint PCS password reset fiasco that made the news in April, here is the Yahoo Mail password reset screen:
As you can see, you need to know the user’s birthday, country of residence, and postal code. Not difficult information to dig up in Palin’s case, as shown here. After you enter this information correctly, you are asked to type in the alternate e-mail address that’s associated with the account. But they give you hints — so if your alternate e-mail was email@example.com, they would show you s****@a*****.gov.
Assuming you guess the alternate e-mail correctly, Yahoo mails a password reset link to that address. So it’s likely that the attacker may have also had to gain access to her alternate e-mail account. Either that, or they exploited a vulnerability in the Yahoo password reset mechanism itself, which seems less likely but not implausible.
So Yahoo itself probably didn’t get hacked, per se, even though there will probably be a lot of FUD in the media about that.
Update 08/18/2008 1:00am EST:
Just found this writeup describing how it transpired: http://pastebin.com/f7fb944c5. Again, not vouching for the authenticity but it does seem plausible, and it’s consistent with my password reset theory. I guess my Yahoo account doesn’t have a secret question defined so I wasn’t presented that option when I tested the reset mechanism earlier today.
Just for fun, here’s the list of non-customizable secret questions Yahoo lets you pick from, as of tonight:
And they sure don’t make it easy for you to update your secret question, do they? (must be logged in to Yahoo for that link to work)
Veracode Security Solutions
Static Code Analysis
Vulnerability Scanning Tools
Web Application Security
Software Testing Tools
Source Code Security Analyzer
Software Code Security
Source Code Analysis