Vulnerabilities / Threats
9/23/2013
09:48 AM
Connect Directly
LinkedIn
Twitter
Google+
RSS
E-Mail
50%
50%

Yahoo Recycled Emails: Users Find Security Surprises

Some Yahoo users who took advantage of recycled IDs report they're getting emails intended for the old account holders -- including personal data.

Yahoo's initiative to free up dormant accounts began in mid-June when the company first announced its plan. "Today, I'm excited to share with you our next big push: We want to give our loyal users and new folks the opportunity to sign up for the Yahoo ID they've always wanted," wrote Jay Rossiter, senior VP of platforms, on the company's Tumblr. A Yahoo ID is a user name that lets you access all of the company's personalized services, such as messenger, email and more.

Yahoo said it would alert users who had been inactive for at least 12 months and instruct them to login to their accounts if they wanted to keep them. Accounts that remained dormant would be recycled and up for grabs.

In July, Yahoo opened up a wish list where users could name their top five choices for a username. Come August, Yahoo would contact them if one of their IDs was available and send them instructions to claim it within 48 hours.

Almost immediately, privacy advocates and security analysts criticized Yahoo's initiative. Some called it "an underhanded and risky way to get people to re-engage with Yahoo," while others called attention to the real potential for others to take over people's identities via password resets and other methods.

Following the criticism, Yahoo released a statement reaffirming its confidence in the initiative and shedding more light on the steps it would take to ensure privacy and security. The company said that personal data and private content associated with the accounts would be deleted and would not be accessible to the new account holder.

"To ensure that these accounts are recycled safely and securely, we're doing several things. We will have a 30-day period between deactivation and before we recycle these IDs for new users. During this time, we'll send bounce-back emails alerting senders that the deactivated account no longer exists. We will also unsubscribe these accounts from commercial emails such as newsletters and email alerts, among others. Upon deactivation, we will send notification for these potentially recycled accounts to merchants, e-commerce sites, financial institutions, social networks, email providers and other online properties."

In July, Yahoo followed up with more details about its security efforts. The company said it would work with businesses to implement a "Require-Recipient-Valid-Since" (RRVS) header. If you submit a Facebook request to reset your password, for example, Facebook would add the RRVS header to the reset email, and the new header would signal to Yahoo to check the age of the account before delivering the mail. If the values don't match, the email would bounce.

Yahoo's security measures appeared sound in theory, said Gant Redmon, general counsel and VP with privacy and security company Co3 Systems, but failed in practice.

Yahoo's idea was problematic from the start, Redmon said. "I can understand why Yahoo would want to do it: It's a legacy email service that they're trying to turn around and generate more interest in. But the initiative is troublesome," he said in an interview. "Email has become a primary identifier because no two people are supposed to have the same email address. When you sign up for it, you think it's yours for life."

However, Terry Cutler, chief technology officer at IT security company Digital Locksmiths, said he's surprised that Yahoo's security measures allowed for such a slip in the examples of Jenkins, Harris and Newman. "Yahoo seems to have done it right," Cutler said in an interview. "They did the right thing by shutting down accounts for a period of time, which should have helped to clean them up. But something's clearly not working, and that's a big problem."

Previous
2 of 3
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
BubbaIT
50%
50%
BubbaIT,
User Rank: Apprentice
9/25/2013 | 5:03:29 PM
re: Yahoo Recycled Emails: Users Find Security Surprises
My immediate reaction to what Yahoo is done is that it's typical of the new Yahoo. If Yahoo were truly concerned about the privacy of their users, they would retire inactive email addresses and terminate the service for those accounts. The fact that they're trying to get people interested in Yahoo email in this way shows just how clueless they actually are.

They redesigned their Groups service with something called Neo. I have no problem or objection to recasting the look of a free service, or even a paid one for that matter, but to break the functionality that people have used for years for the sake of something merely new is unforgivable. Yahoo's terms of service are essentially that they can do whatever they want, whenever they want to do it, and you have no real recourse - except to either deal with the fallout of gimcrack implementation or take your business elsewhere. That is not the way to build up a trust relationship with people you want to court or maintain as customers.
John109
50%
50%
John109,
User Rank: Apprentice
9/25/2013 | 3:11:42 PM
re: Yahoo Recycled Emails: Users Find Security Surprises
People make a lot of fuss over this, but how do you think plain old mail system works?

If you don't change your home address when you move, companies still send you sensitive information to your old address just as easy for the taking. You really think the new guy at your old place never opened your mail? You really think that little paper envelope will guard your information from those prying eyes? Really?

Wake up people, the Internet isn't some new place with a complete new set of rules, it's the freaking same thing as in real life...
cbabcock
50%
50%
cbabcock,
User Rank: Apprentice
9/25/2013 | 12:50:31 AM
re: Yahoo Recycled Emails: Users Find Security Surprises
Makes me glad that I'm paying $20 a year for my account with Yahoo! I once sent a long message to an old friend, trying to catch up, and it came back from someone in the UK saying that he now possessed the address and realized my message wasn't intended for him. He was courteous and did the right thing. The opportunities for this process to go awry don't need to be delineated, beyond the story above.
Guest
50%
50%
Guest,
User Rank: Apprentice
9/24/2013 | 6:02:27 PM
re: Yahoo Recycled Emails: Users Find Security Surprises
Mike Bracco @bracco tweeted that he forwards all email (even old accounts he doesn't use) because he doesn't ever want to lose past namespaces. Readers: How do you treat your email addresses differently?
Laurianne
50%
50%
Laurianne,
User Rank: Apprentice
9/24/2013 | 4:33:58 PM
re: Yahoo Recycled Emails: Users Find Security Surprises
The notion that a free email address will be "yours for life" seems a tad optimistic. But these users saw the flip side of recycling IDs.

Readers, are you surprised by the "risk shift" approach? Have you had experiences like this with other providers? Let's hear from you.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8551
Published: 2014-11-26
The WinCC server in Siemens SIMATIC WinCC 7.0 through SP3, 7.2 before Update 9, and 7.3 before Update 2; SIMATIC PCS 7 7.1 through SP4, 8.0 through SP2, and 8.1; and TIA Portal 13 before Update 6 allows remote attackers to execute arbitrary code via crafted packets.

CVE-2014-8552
Published: 2014-11-26
The WinCC server in Siemens SIMATIC WinCC 7.0 through SP3, 7.2 before Update 9, and 7.3 before Update 2; SIMATIC PCS 7 7.1 through SP4, 8.0 through SP2, and 8.1; and TIA Portal 13 before Update 6 allows remote attackers to read arbitrary files via crafted packets.

CVE-2014-1421
Published: 2014-11-25
mountall 1.54, as used in Ubuntu 14.10, does not properly handle the umask when using the mount utility, which allows local users to bypass intended access restrictions via unspecified vectors.

CVE-2014-3605
Published: 2014-11-25
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2014-6407. Reason: This candidate is a reservation duplicate of CVE-2014-6407. Notes: All CVE users should reference CVE-2014-6407 instead of this candidate. All references and descriptions in this candidate have been removed to pre...

CVE-2014-6093
Published: 2014-11-25
Cross-site scripting (XSS) vulnerability in IBM WebSphere Portal 7.0.x before 7.0.0.2 CF29, 8.0.x through 8.0.0.1 CF14, and 8.5.x before 8.5.0 CF02 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?