Ferguson had other ideas. "It could have been a sidejack," he said. Shorthand for session hijacking, the tactic takes advantage of session cookies that are sent in the clear by some Web services, including Yahoo Mail and Microsoft's Hotmail. "There's all that traffic flying in the clear," said Ferguson, "and there are tools now that let you steal someone's cookie in midsession."
Access to the cookie would provide access to, in this case, a Yahoo Mail account, Ferguson said. "This has happened to a couple of white hat hackers whose accounts were hacked," he said. "So it all goes back to the attacker thinking, 'Is it worth the effort?'
Palin could have been victimized by a previous, and until now unknown, attack, too, said Ferguson and other researchers. "She could have gotten a keylogger," Ferguson said. "She's on the road all the time, and she could have been using a laptop on the road to access her Yahoo mail across hotel wireless networks."
Public Wi-Fi networks, such as those commonly found in most hotels, are rarely, if ever, locked down with encryption, since that would require users to enter passwords to connect to the Internet. For that reason, so-called "man-in-the-middle" attacks are most lucrative at unsecured hot spots.
"What with the recent discoveries like the DNS flaws, it's not unthinkable that Palin's e-mail could be intercepted," theorized Randy Abrams, director of technical education at security company ESET LCC. "But with just one person, a social engineering is much more plausible."
A spear-phishing attack -- an attempt at identity theft that's aimed at just one person or a small group -- made more sense to Abrams than a password reset hack. "For all we know, it could have been a hack on Yahoo's infrastructure."
The bottom line, said all three researchers, is that Web mail security leaves a lot to be desired. "The underlying issue here is that regardless how Palin's account was hacked, Web mail platforms just don't have proper security for their users, whether it's a governor, who shouldn't be using one to begin with, or you or me," said Ferguson.
"This is the dark side of the cloud in cloud computing," said Abrams. "The inherent danger of cloud computing is that cloud dissipating. When you leave data somewhere where you don't control, it's potentially vulnerable."
Not coincidentally, the Yahoo executive in charge of Yahoo Mail today urged users to stiffen their passwords. In a post to a company blog, John Kremer, the vice president who oversees the mail service, recommended using long passwords that contained combinations of numbers and letters.
"In order to protect the privacy of our users, we can't get into specific details of any of our users' accounts," Kremer said in the post.
Computerworld's Sharon Machlis contributed to this report.