12:00 PM
Connect Directly

Yahoo Email Change Doesn't Solve Security Problem

Yahoo's "Not My Email" button may cut down on misdirected email, but security experts say Yahoo's solution doesn't address the underlying security issues.

10 Ways To Fight Email Overload
10 Ways To Fight Email Overload
(click image for larger view and for slideshow)
After InformationWeek reported on three Yahoo users who began receiving emails containing personal information intended for the former account holder -- including bank, wireless and social media account information -- Yahoo announced it would launch a tool to return messages that were not intended for users.

The new button, called "Not My Email," reportedly will roll out this week and will be found under the "Actions" tab in users' inboxes. The button will help users of recycled accounts train their inboxes to recognize which email is intended for them and which is not, eventually rejecting email before the user has read it.

Although this solution might help current owners of recycled Yahoo accounts combat the influx of misdirected mail, it ignores the underlying security problems, experts said. Emails containing personal information are still reaching users who have taken over a Yahoo email account, and that still poses significant privacy and security problems.

"Yahoo's button doesn't solve the big problem and I can't believe they're not taking this more seriously," said Chester Wisniewski, senior security advisor at security firm Sophos, in an interview. "I don't think they have any intentions of protecting these original account holders. They're doing this as a song and dance in front of the press and just to make the new accounts more palatable."

[ Do self-destructing emails sound like a good security practice? Read This Email Will Self-Destruct: AT&T Seeks Patent. ]

Wisniewski said that although account holders "with a conscience" will likely use the button to expedite the process of weeding out misdirected mail, it's irrational to think that users with more malicious intent would even consider it. "I wonder how many phishers out there are going to click the button to let Yahoo know they're getting these emails? I'm incensed by Yahoo's response because it's clear they're trying to placate people," he said.

Yahoo maintains that the number of people receiving others' email is minimal and that it takes the security and privacy of its users very seriously.

Mike Davis, CTO at CounterTack, a malware detection organization, said that although Yahoo's button is a step in the right direction, the company still needs to work on addressing the security threats. "Clicking the button just accelerates an unsubscribe process similar to how a company categorizes spam," he said in an interview. "You're going to have problems where the email address was used to authenticate someone, which makes it easy for people to take over accounts or gain access to something they shouldn't."

1 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
9/27/2013 | 7:39:26 PM
re: Yahoo Email Change Doesn't Solve Security Problem
The FCC makes some radio call signs available for reassignment (FCC's own assignment and in some cases by request). The minimum dormancy period for many, if not all, cases is 2 years after license expiration, license abandonment, or licensee's death (or dissolution of organization).

Given the abundant personal information that flows through email, a reason minimum period of dormancy should be 10+ years.
Kristin Burnham
Kristin Burnham,
User Rank: Apprentice
9/27/2013 | 2:04:51 PM
re: Yahoo Email Change Doesn't Solve Security Problem
@ubm_techweb_disqus_sso_-4c5bf4ba8d74c722d28ca4c34a7266ae:disqus Good advice--thanks for sharing!
User Rank: Apprentice
9/27/2013 | 1:05:27 PM
re: Yahoo Email Change Doesn't Solve Security Problem
These researchers missed important aspect. Companies should take an active measures to ensure proper communication. If users deactives an account it should remain dormant for multiple years. In that time frame companies should at minimum do a yearly check to verify email communication. When that attempt is made the email message if deactived properly should returned an invalid address message and the company systems should deactivate use of that email account.
Instead companies use "do not reply" email accounts which simply dump the return message in to a "null" bin never looking to see if the account is invalid. From personal experience with a cable company, I have change the email address, deleted it as well, called them on it, and still I get mail from them using that old account.
User Rank: Apprentice
9/27/2013 | 6:22:53 AM
re: Yahoo Email Change Doesn't Solve Security Problem
Yes , I agree with you.
User Rank: Apprentice
9/26/2013 | 7:11:58 PM
re: Yahoo Email Change Doesn't Solve Security Problem
Recycling email addresses is sheer craziness on Yahoo's part. It was a terrible idea, and this "fix" is a Band-Aid at best.
Register for Dark Reading Newsletters
White Papers
Current Issue
Dark Reading Tech Digest September 7, 2015
Some security flaws go beyond simple app vulnerabilities. Have you checked for these?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-08
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.

Published: 2015-10-08
Cybozu Garoon 3.x through 3.7.5 and 4.x through 4.0.3 mishandles authentication requests, which allows remote authenticated users to conduct LDAP injection attacks, and consequently bypass intended login restrictions or obtain sensitive information, by leveraging certain group-administration privile...

Published: 2015-10-08
The REST interface in Cisco Unified Communications Manager IM and Presence Service 11.5(1) allows remote attackers to cause a denial of service (SIP proxy service restart) via a crafted HTTP request, aka Bug ID CSCuw31632.

Published: 2015-10-08
Cisco Wireless LAN Controller (WLC) devices with software 7.0(240.0), 7.3(101.0), and 7.4(1.19) allow remote attackers to cause a denial of service (device outage) by sending malformed 802.11i management data to a managed access point, aka Bug ID CSCub65236.

Published: 2015-10-06
libstagefright in Android before 5.1.1 LMY48T allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted media file, aka internal bug 21335999.

Dark Reading Radio
Archived Dark Reading Radio
What can the information security industry do to solve the IoT security problem? Learn more and join the conversation on the next episode of Dark Reading Radio.