AppSec Blog

Following a Trail of Breadcrumbs - A Design Flaw in Yahoo! Mail

It's my pleasure to post this guest blog from my colleague and fellow security professional, Khash Kiani, about an interesting design flaw in Yahoo! Mail.

Intent
The ultimate goal of this exercise was to reveal a few fundamental design flaws with the authentication mechanism of Yahoo! Mail, more specifically its password reset scheme.

The exercise also intended to bring awareness to one of the most often used attack vectors of low-tech hacking: find a simple technical flaw in an application and exploit it via manual techniques. This case study illustrates how social engineers play with people's trust and utilize basic techniques to gain information about individuals; information that would ultimately be leveraged to gain unauthorized access to Yahoo! Mail accounts.

Find the weak link.

The plan for this exercise was to use one of the most fundamental tactics of social engineering: obtaining information that is mostly considered harmless, but can be leveraged to gain access to something sensitive, such as an email account. Yahoo! Mail's Forgot Password feature provided a path of least resistance for this exercise. Secret questions, one of the most common ways of resetting passwords, are just as important as the password itself; allowing the user to reset the password, and therefore act as another form of authentication.

Sarah Palin is a great example of how a hacker can use secret questions to compromise an account. Palin used a Yahoo! email address, gov.palin@yahoo.com. But like most people, she selected an easy-to-guess question, "Where did you meet your husband?". This question was asked right after the user was presented with "What is your Birthday?" and "What is your Postal Code?" questions; all public and the majority available on her Wikipedia page.

The Attack
Target: Jordan. A casual acquaintance of the attacker.

Step I
Compromise personal information to answer secret questions of Yahoo!'s forgot password feature: There are many different ways of gaining access to information needed for this exploit. Some of the options available to a social engineer can range from using the telephone or the Internet to obtain the information.

Question 1: "What town was your father born in?"

Compromise: Jordan's parents were born in Venezuela. The attacker performed a search for the largest cities in that country. The answer was the third one on the list.

Question 2: "What street did you grow up on?"

Compromise: From the free People Search Engine sites, the attacker used Zabasearch.com and typed in the name and the state and received a list of all potential addresses. The first 4 attempts failed, but the 5th one succeeded.

And that's all. Using the above information the attacker was able to reset the password and get into the email account.

Once inside the Yahoo! account, the attacker was able to fully compromise the account by changing all of Jordan's password reset information such as the secret questions, the email address where the password reset link is sent to, and even change the mobile number associated with the account.

Step II
Up the ante: Once inside target's Yahoo! account, the attacker searched for the keyword "password" and found all previous password reset links sent to this account from various sites such as MySpace, and Facebook. The attacker was then able to go to any of these sites and utilize their "forgot password feature" to reset the password via the compromised Yahoo! account.

But why stop there?

Step III
Compromise the rest: Once the attacker had compromised one email account, it was fairly easy to access the rest. Most peoples' email accounts are linked via the password reset functionality. Yahoo!, Gmail, Hotmail and others give the user the ability to add at least one additional email address where a password reset form can be sent to. So once one of Jordan's email accounts was accessed and fully compromised, the rest followed. Again, once inside, each account's password recovery questions and linked email address was replaced, preventing the target from resetting her own passwords.

Step IV
Inform the target: By now the attacker has replaced Jordan's password on two of her Yahoo! accounts, Gmail account, Facebook, Myspace and Paypal. This was probably a good time to stop and inform his target about the compromise.

Elapsed time, 40 minutes. Game over.

Defense Against Retaliation

Knowing his target's personality and expertise, the attacker knew that Jordan was going to retaliate against his email accounts. So he took the following measures, in order to ensure she wasn't able to exploit him in a similar fashion:

  • The attacker visited his Gmail and a few other web sites to make sure that the password reset features did not utilize his not-so-secure Yahoo! Mail account.
  • The attacker strengthened his Yahoo! Mail secret questions and answers with something only he would be able to answer. For instance:
    • Question: "Pwd is?"
    • Answer: "A strong pass phrase"

While testing these security controls, the attacker noticed a several fundamental design flaws in Yahoo! Mail's password reset feature. Unfortunately, these issues prevented him from securing his own account.

Flaws

Password Reset Flaw #1
In Yahoo! Mail, users are able to modify their secret questions via the "Update password reset info" feature. However, during the password recovery process, users are given the option to revert back to the original questions by clicking the "This is not my question" link on the "Please answer your secret question" page. As a result, you can never replace your original secret questions.

Clicking "This is not my question" displays the original secret question

What if you kept the original questions, but replaced the answers with something stronger or more obscure? For instance:

  • Question: "Where did you spend your honeymoon"
  • Original answer: "France"
  • A more secure answer: "my favorite country in Europe"

But astoundingly that is not possible due to another flaw.

Password Reset Flaw #2
In Yahoo!, when changing the answer to a secret question, the functionality is designed in such way that your new answer does not "replace" the old one; instead the new answer is added to the list.

With this issue, users end up with a collection of identical questions, and different answers where any of them will satisfy that specific question.

Basically, the original, default, insecure questions and answers were still accessible. And that's exactly how Jordan got in!

The following two screenshots demonstrate that it is impossible to strengthen the answer to an existing secret question.

There is more

With older Yahoo! Accounts, the first secret question is the account holder's registered Birthday, Country and Postal Code. Many people still maintain this set as their first secret question. Some of this information could be retrieved from social networking sites like Facebook or by performing a quick search on PeopleFinders.com or Zabasearch.com. Alternatively, the attacker can revert to basic social engineering tactics to compromise this information.

For example, a new target, Jennifer, still maintained her original default secret questions: Birthday, Country, and Postal Code; followed by "What is My Full Name?". Some basic recon about the target reveals that she lived in Tacoma at some point during her high school years. The attacker then creates an anonymous Yahoo! account with the Yahoo! ID Linda1_Tacoma.

Using a Yahoo! IM client, the attacker "Added a Contact" which Jennifer accepted. This is not guaranteed to work. If Jennifer had rejected the request, the attacker could either try again later with a different Yahoo! ID, or move on to another target.

The attacker has retrieved Jennifer's Date of Birth, a small list of Zip Codes to choose from, and her Last Name. With that information her Yahoo! account can be compromised. The attacker also used her Full Name and Location Information to compromise her Hotmail account.

Key Points:

Regardless of what form of communication the social engineers use to gain information from the target, they always follow a few key principles:

  • Establish trust before fully engaging the target.
  • Always bury the key questions among innocent ones.
  • Never end the conversation after getting key questions answered.
  • Don't "burn your mark". Sometimes you may need to slow down or stop asking questions altogether and try later.

Conclusion

After discussing these issues with Yahoo!'s security team, there seems to be one main motivation behind these design decisions: Giving the "victim" the ability to regain access to a compromised account via her "original" secret questions that the attacker has no way of changing.

These solutions could be effective for a scenario where the attacker has learned a victim's password, but not the account's secret questions. However, the unfortunate side affect of these design decisions are the flaws we have described above.

These questionable design decisions in the Password Recovery scheme highlight the importance of injecting thorough security throughout the Software Development Life Cycle (SDLC). General security best practices always encourage that security reviews and testing should be integrated throughout the SDLC. Perhaps with the proper amount of security review during the design phase, and understanding the ease of exploitation via secret questions, these issues would have been detected and addressed early on.

These exercises show us how easily someone can access another's email and other accounts that are designed in a similar fashion. As a general practice, everyone should delete old email accounts that aren't needed. Make your online presence as solid as possible, and avoid leaving online breadcrumbs all over the place. You never know who might want to cause you some headache down the road by compromising your accounts.

Khash Kiani
khashsec@gmail.com

?

14 Comments

Posted March 3, 2010 at 12:30 AM | Permalink | Reply

Matt

This is a great article with lots of details. You would think they would fix these issues by now! Makes you really wonder.

Posted March 3, 2010 at 3:15 PM | Permalink | Reply

JB

I'm just wondering, why did you black out the street and city in your screen cap, but not the zip? That will tell me what city it is.

Posted March 3, 2010 at 4:43 PM | Permalink | Reply

JW

I'd be curious to learn about all the good reasons behind this suspect implementation '' particularly since yahoo has been focusing so much on security as of late ''
Good post and good basic social-eng techniques to get the info . All very good points about social-engr's key principles. All so very true.

Posted March 3, 2010 at 6:21 PM | Permalink | Reply

Emile Baizel

Excellent post. It's scary that such a big site as Yahoo! has these flaws, acknowledges they have these flaws, and yet do nothing about it!

Posted March 4, 2010 at 12:00 AM | Permalink | Reply

JakPen

Crazy! ! !
one would think that these kind of security holes would have been well thought out by some of the earliest players in the game, like Yahoo!''
goes to show the cunning of human ingenuity

Posted March 4, 2010 at 8:35 PM | Permalink | Reply

TheLightCosine

A very nice writeup, well written and fun to read. Sad that the same old tricks never die.

Posted March 5, 2010 at 12:16 AM | Permalink | Reply

Khash Kiani

JB,
No specific reason for masking the city names.
JW,
Regarding your question about "all the reasons for this suspect implementation: I was just discussing this with a friend the other day and we believe the reasons are twofold: Firstly, giving the victim the ability to gain access to her compromised account via the original secret questions. And secondly, perhaps more importantly, reducing customer service costs associated with this "self service" account recovery.
Whatever the reasons for this implementation, if a Security Threat Assessment is conducted and ALL the risks weighted, these issues would be addressed.

Posted March 5, 2010 at 1:00 AM | Permalink | Reply

Anon

Now I know exactly how my yahoo account keeps getting compromised even after changing my password and secret questions. Congratulations! This is a very good post and the nice little story behind it compliments the technical issues very well.

Posted March 14, 2010 at 9:44 PM | Permalink | Reply

Peter

One of the better security write-ups I've read in a while. Great post, SANS! It is a good reminder to those in the security industry that not all hacks need to be overly complex. I, too, noticed this flaw while ago but never considered all the real threats until now. A very holistic article covering these important problems and ways to exploit them to fully owning the targets.
Was the last example with Jennifer real? Brilliant! How do you find a target this easy!?

Posted March 16, 2010 at 5:01 PM | Permalink | Reply

Khash Kiani

Hey Peter ''" Yes, the target I called Jennifer for this exercise and the correspondence with her were all real!
I think it's safe to assume that nobody is immune to social engineering attacks hundred percent of the time, even attacks that may seem awfully plain or even silly to most of us. We all get tired, pressed for time, and take mental shortcuts at times, and that's when we're vulnerable.

Posted April 23, 2010 at 6:36 PM | Permalink | Reply

Phillip Pham

Good article Khash!
My account was rather old and it is now dead stuck with my old security questions. If you think hard enough, it can be easily hacked. Migrating to Gmail now!!
I also did some study on this myself too, and sad thing is the flaw #1 "Not my question" still existed. So basically if you are able to hack one account, then you can own it forever.

Posted April 23, 2010 at 6:39 PM | Permalink | Reply

Phillip Pham

Clarification: Flaw #1 still exists for NEW accounts.

Posted November 6, 2010 at 11:26 PM | Permalink | Reply

trae_z

thanks for this man, just hacked 2 accounts this way (nothing serious, informed the owners) but it still sucks that my own old yahoo email is likely compromised this way.

Posted December 9, 2010 at 1:58 PM | Permalink | Reply

Victor

messenger yahoo ->security questions ->WebCam ->steal password
This happend to me! I just gave my answers to someone I belived I knew but actually was someone else that cracked that account first. And now I just try to see how can I reset those original questions too..
THIS IS what happend *(I wrote this sending an email to yahoo security):
"I got in my messenger yahoo, and someone from my list just asked me some questions (later I remembered there were my security questions) saying he does a poll and if I can just help him, and after I told him the answer , he asked me if I can turn on my WebCam, and not knowing his account was stolen, thinking it was my friend, I turned the camera on, and in that moment he stoled my password! And after that I just had to log in from another computer to be able to reset my password , because from the first computer I used whenever I reseted it, he was entering again (I don't know how ). And now I'm trying to use again my first computer but I have to konw what he did in order to protect it. And the weird thing is that he also hacked someother friends yahoo account from my mess list. (he was in the same time on some other friend account, addressing me some ugly words. So any suggestion??"

Post a Comment - Cancel Reply






Captcha


* Indicates a required field.