Yahoo, Hotmail, Gmail all vulnerable to Palin-style password-reset hack
Tactic used to access VP candidate's e-mail works on the top three services
Computerworld - Yahoo Mail isn't the only Web-based mail service that could be duped into giving up someone else's account password, the tactic that some have argued was used to break into Gov. Sarah Palin's e-mail earlier this week.
Google Inc.'s Gmail, Microsoft Corp.'s Windows Live Hotmail and Yahoo Inc.'s Mail all rely on automated password-reset mechanisms that can be abused by anyone who knows the username associated with an account and an answer to a single security question, according to quick tests run by Computerworld.
Computerworld reporters and editors were able to "break" into their own and colleagues' accounts on all three services, then reset passwords armed only with the account's username and the correct response to one of a limited number of common security questions, such as mother's maiden name, the name of a favorite pet or the make of a first car.
Some of the personal information that would provide answers to the security questions may be easily found by searching social networking sites or the Internet, the approach a hacker labeled as "rubico" claimed to have used to dig up the responses necessary to access Palin's account.
Hackers who know the username of an account -- which is often identical to the part of the e-mail address that precedes the "@" symbol -- and correctly type the distorted "CAPTCHA" characters are faced with only a security question before being allowed to change the account password. (CAPTCHA, or "Completely Automated Public Turing Test to Tell Computers and Humans Apart," is the name for the security tool that uses distorted, scrambled characters to stymie automated bots.)
None of the services required that the new password be sent to an alternate e-mail address -- although that was an option for all three -- and instead offered an all-online process.
Adam O'Donnell, director of emerging technologies at message security vendor Cloudmark Inc., said that automated password-reset is the rule in Web-based mail, whether the service is free, like Yahoo, Hotmail and Gmail, or offered as part of the monthly fee by one's Internet service provider.
"ISPs have razor-thin margins, and one call to the help desk to reset a password would wipe out the month's profit on that user," said O'Donnell in an interview yesterday.
At the time, although other security experts were skeptical of the hacker's claim to have accessed Palin's account through a password-reset, O'Donnell had said it sounded "very plausible."
According to rubico, who some have speculated is the 20-year-old son of a Tennessee state legislator, the online research needed to reset Palin's password took just 45 minutes.
Palin e-mail hack
- Yahoo, Hotmail, Gmail all vulnerable to Palin-style password-reset hack
- Report: Tenn. legislator confirms son is at center of Palin hack chatter
- Web proxy firm working with FBI to trace Palin e-mail hacker
- IT Blogwatch: Sarah Palin e-mail hacker drops anchor, arrr!
- Security researchers ponder possible Palin hacks
- Update: Hackers claim to break into Palin's Yahoo Mail account
- Sharon Machlis: Yahoo users: Like Sarah Palin, you may be vulnerable to an e-mail hack
- Douglas Schweitzer: How safe is your e-mail correspondence?
- Global News Update: Thursday, September 18, 2008
Read more about Networking in Computerworld's Networking Topic Center.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- What Datapipe customers need to know about the new PCI DSS 3.0 compliance standard This handy quick reference outlines what PCI DSS 3.0 is, who needs to be compliant and how Alert Logic solutions address the new...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- The Critical Role of Support in Your Enterprise Mobility Management Strategy Most business leaders underestimate the importance of tech support when they choose an EMM solution. Here's what to put on your checklist.
- Separating Work and Personal at the Platform Level: How BlackBerry Balance Works BlackBerry® Balance™ separates work from personal on the same mobile device, right at a platform level. Find out how it can work for...
- Live Webcast Best Practices for the Hyperconverged Enterprise Network To the Age of Constant Connectivity and Information overload
- Getting Ready for BlackBerry Enterprise Service 10.2 Find out how BlackBerry® Enterprise Service 10 helps organizations address the full spectrum of EMM challenges, while balancing the needs of both the...
- Containerization Options: How to Choose the Best DLP Solution for Your Organization This webcast outlines a framework for making the right choice when it comes to containerization approaches, along with the pros and cons of... All Networking White Papers | Webcasts