Risk
9/26/2013
12:00 PM
Connect Directly
LinkedIn
Twitter
Google+
RSS
E-Mail
50%
50%

Yahoo Email Change Doesn't Solve Security Problem

Yahoo's "Not My Email" button may cut down on misdirected email, but security experts say Yahoo's solution doesn't address the underlying security issues.

10 Ways To Fight Email Overload
10 Ways To Fight Email Overload
(click image for larger view and for slideshow)
After InformationWeek reported on three Yahoo users who began receiving emails containing personal information intended for the former account holder -- including bank, wireless and social media account information -- Yahoo announced it would launch a tool to return messages that were not intended for users.

The new button, called "Not My Email," reportedly will roll out this week and will be found under the "Actions" tab in users' inboxes. The button will help users of recycled accounts train their inboxes to recognize which email is intended for them and which is not, eventually rejecting email before the user has read it.

Although this solution might help current owners of recycled Yahoo accounts combat the influx of misdirected mail, it ignores the underlying security problems, experts said. Emails containing personal information are still reaching users who have taken over a Yahoo email account, and that still poses significant privacy and security problems.

"Yahoo's button doesn't solve the big problem and I can't believe they're not taking this more seriously," said Chester Wisniewski, senior security advisor at security firm Sophos, in an interview. "I don't think they have any intentions of protecting these original account holders. They're doing this as a song and dance in front of the press and just to make the new accounts more palatable."

[ Do self-destructing emails sound like a good security practice? Read This Email Will Self-Destruct: AT&T Seeks Patent. ]

Wisniewski said that although account holders "with a conscience" will likely use the button to expedite the process of weeding out misdirected mail, it's irrational to think that users with more malicious intent would even consider it. "I wonder how many phishers out there are going to click the button to let Yahoo know they're getting these emails? I'm incensed by Yahoo's response because it's clear they're trying to placate people," he said.

Yahoo maintains that the number of people receiving others' email is minimal and that it takes the security and privacy of its users very seriously.

Mike Davis, CTO at CounterTack, a malware detection organization, said that although Yahoo's button is a step in the right direction, the company still needs to work on addressing the security threats. "Clicking the button just accelerates an unsubscribe process similar to how a company categorizes spam," he said in an interview. "You're going to have problems where the email address was used to authenticate someone, which makes it easy for people to take over accounts or gain access to something they shouldn't."

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
JMONTAGUE292
50%
50%
JMONTAGUE292,
User Rank: Apprentice
9/27/2013 | 7:39:26 PM
re: Yahoo Email Change Doesn't Solve Security Problem
The FCC makes some radio call signs available for reassignment (FCC's own assignment and in some cases by request). The minimum dormancy period for many, if not all, cases is 2 years after license expiration, license abandonment, or licensee's death (or dissolution of organization).

Given the abundant personal information that flows through email, a reason minimum period of dormancy should be 10+ years.
Kristin Burnham
50%
50%
Kristin Burnham,
User Rank: Apprentice
9/27/2013 | 2:04:51 PM
re: Yahoo Email Change Doesn't Solve Security Problem
@ubm_techweb_disqus_sso_-4c5bf4ba8d74c722d28ca4c34a7266ae:disqus Good advice--thanks for sharing!
ninjacoding
50%
50%
ninjacoding,
User Rank: Apprentice
9/27/2013 | 1:05:27 PM
re: Yahoo Email Change Doesn't Solve Security Problem
These researchers missed important aspect. Companies should take an active measures to ensure proper communication. If users deactives an account it should remain dormant for multiple years. In that time frame companies should at minimum do a yearly check to verify email communication. When that attempt is made the email message if deactived properly should returned an invalid address message and the company systems should deactivate use of that email account.
Instead companies use "do not reply" email accounts which simply dump the return message in to a "null" bin never looking to see if the account is invalid. From personal experience with a cable company, I have change the email address, deleted it as well, called them on it, and still I get mail from them using that old account.
Halwits
50%
50%
Halwits,
User Rank: Apprentice
9/27/2013 | 6:22:53 AM
re: Yahoo Email Change Doesn't Solve Security Problem
Yes , I agree with you.
OtherJimDonahue
50%
50%
OtherJimDonahue,
User Rank: Apprentice
9/26/2013 | 7:11:58 PM
re: Yahoo Email Change Doesn't Solve Security Problem
Recycling email addresses is sheer craziness on Yahoo's part. It was a terrible idea, and this "fix" is a Band-Aid at best.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2227
Published: 2014-07-25
The default Flash cross-domain policy (crossdomain.xml) in Ubiquiti Networks UniFi Video (formerly AirVision aka AirVision Controller) before 3.0.1 does not restrict access to the application, which allows remote attackers to bypass the Same Origin Policy via a crafted SWF file.

CVE-2014-5027
Published: 2014-07-25
Cross-site scripting (XSS) vulnerability in Review Board 1.7.x before 1.7.27 and 2.0.x before 2.0.4 allows remote attackers to inject arbitrary web script or HTML via a query parameter to a diff fragment page.

CVE-2014-5100
Published: 2014-07-25
Multiple cross-site request forgery (CSRF) vulnerabilities in Omeka before 2.2.1 allow remote attackers to hijack the authentication of administrators for requests that (1) add a new super user account via a request to admin/users/add, (2) insert cross-site scripting (XSS) sequences via the api_key_...

CVE-2014-5101
Published: 2014-07-25
Multiple cross-site scripting (XSS) vulnerabilities in WeBid 1.1.1 allow remote attackers to inject arbitrary web script or HTML via the (1) TPL_name, (2) TPL_nick, (3) TPL_email, (4) TPL_year, (5) TPL_address, (6) TPL_city, (7) TPL_prov, (8) TPL_zip, (9) TPL_phone, (10) TPL_pp_email, (11) TPL_authn...

CVE-2014-5102
Published: 2014-07-25
SQL injection vulnerability in vBulletin 5.0.4 through 5.1.3 Alpha 5 allows remote attackers to execute arbitrary SQL commands via the criteria[startswith] parameter to ajax/render/memberlist_items.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.