Risk
9/26/2013
12:00 PM
Connect Directly
LinkedIn
Twitter
Google+
RSS
E-Mail
50%
50%

Yahoo Email Change Doesn't Solve Security Problem

Yahoo's "Not My Email" button may cut down on misdirected email, but security experts say Yahoo's solution doesn't address the underlying security issues.

10 Ways To Fight Email Overload
10 Ways To Fight Email Overload
(click image for larger view and for slideshow)
After InformationWeek reported on three Yahoo users who began receiving emails containing personal information intended for the former account holder -- including bank, wireless and social media account information -- Yahoo announced it would launch a tool to return messages that were not intended for users.

The new button, called "Not My Email," reportedly will roll out this week and will be found under the "Actions" tab in users' inboxes. The button will help users of recycled accounts train their inboxes to recognize which email is intended for them and which is not, eventually rejecting email before the user has read it.

Although this solution might help current owners of recycled Yahoo accounts combat the influx of misdirected mail, it ignores the underlying security problems, experts said. Emails containing personal information are still reaching users who have taken over a Yahoo email account, and that still poses significant privacy and security problems.

"Yahoo's button doesn't solve the big problem and I can't believe they're not taking this more seriously," said Chester Wisniewski, senior security advisor at security firm Sophos, in an interview. "I don't think they have any intentions of protecting these original account holders. They're doing this as a song and dance in front of the press and just to make the new accounts more palatable."

[ Do self-destructing emails sound like a good security practice? Read This Email Will Self-Destruct: AT&T Seeks Patent. ]

Wisniewski said that although account holders "with a conscience" will likely use the button to expedite the process of weeding out misdirected mail, it's irrational to think that users with more malicious intent would even consider it. "I wonder how many phishers out there are going to click the button to let Yahoo know they're getting these emails? I'm incensed by Yahoo's response because it's clear they're trying to placate people," he said.

Yahoo maintains that the number of people receiving others' email is minimal and that it takes the security and privacy of its users very seriously.

Mike Davis, CTO at CounterTack, a malware detection organization, said that although Yahoo's button is a step in the right direction, the company still needs to work on addressing the security threats. "Clicking the button just accelerates an unsubscribe process similar to how a company categorizes spam," he said in an interview. "You're going to have problems where the email address was used to authenticate someone, which makes it easy for people to take over accounts or gain access to something they shouldn't."

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
OtherJimDonahue
50%
50%
OtherJimDonahue,
User Rank: Apprentice
9/26/2013 | 7:11:58 PM
re: Yahoo Email Change Doesn't Solve Security Problem
Recycling email addresses is sheer craziness on Yahoo's part. It was a terrible idea, and this "fix" is a Band-Aid at best.
Halwits
50%
50%
Halwits,
User Rank: Apprentice
9/27/2013 | 6:22:53 AM
re: Yahoo Email Change Doesn't Solve Security Problem
Yes , I agree with you.
ninjacoding
50%
50%
ninjacoding,
User Rank: Apprentice
9/27/2013 | 1:05:27 PM
re: Yahoo Email Change Doesn't Solve Security Problem
These researchers missed important aspect. Companies should take an active measures to ensure proper communication. If users deactives an account it should remain dormant for multiple years. In that time frame companies should at minimum do a yearly check to verify email communication. When that attempt is made the email message if deactived properly should returned an invalid address message and the company systems should deactivate use of that email account.
Instead companies use "do not reply" email accounts which simply dump the return message in to a "null" bin never looking to see if the account is invalid. From personal experience with a cable company, I have change the email address, deleted it as well, called them on it, and still I get mail from them using that old account.
Kristin Burnham
50%
50%
Kristin Burnham,
User Rank: Apprentice
9/27/2013 | 2:04:51 PM
re: Yahoo Email Change Doesn't Solve Security Problem
@ubm_techweb_disqus_sso_-4c5bf4ba8d74c722d28ca4c34a7266ae:disqus Good advice--thanks for sharing!
JMONTAGUE292
50%
50%
JMONTAGUE292,
User Rank: Apprentice
9/27/2013 | 7:39:26 PM
re: Yahoo Email Change Doesn't Solve Security Problem
The FCC makes some radio call signs available for reassignment (FCC's own assignment and in some cases by request). The minimum dormancy period for many, if not all, cases is 2 years after license expiration, license abandonment, or licensee's death (or dissolution of organization).

Given the abundant personal information that flows through email, a reason minimum period of dormancy should be 10+ years.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Must Reads - September 25, 2014
Dark Reading's new Must Reads is a compendium of our best recent coverage of identity and access management. Learn about access control in the age of HTML5, how to improve authentication, why Active Directory is dead, and more.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-6856
Published: 2014-10-02
The AHRAH (aka com.vet2pet.aid219426) application 219426 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-6857
Published: 2014-10-02
The Car Wallpapers HD (aka com.arab4x4.gallery.app) application 1.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-6858
Published: 2014-10-02
The Mostafa Shemeas (aka com.mostafa.shemeas.website) application 1.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-6859
Published: 2014-10-02
The Daum Maps - Subway (aka net.daum.android.map) application 3.9.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-6860
Published: 2014-10-02
The Trial Tracker (aka com.etcweb.android.trial_tracker) application 1.1.9 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Chris Hadnagy, who hosts the annual Social Engineering Capture the Flag Contest at DEF CON, will discuss the latest trends attackers are using.