Members
  • Total Members: 14197
  • Latest: Levine
Stats
  • Total Posts: 43431
  • Total Topics: 16526
  • Online today: 2950
  • Online ever: 51419
  • (01. January 2010., 10:27:49)
Users Online
Users: 1
Guests: 2949
Total: 2950









Author Topic: Other Webmail Services Share Password Reset Flaw  (Read 2728 times)

0 Members and 2 Guests are viewing this topic.

Samker

  • SCF Administrator
  • *****
  • Posts: 7529
  • KARMA: 322
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • SCforum.info - Samker's Computer Forum
Other Webmail Services Share Password Reset Flaw
« on: 21. September 2008., 09:14:40 »


Yahoo Mail isn't the only Web-based mail service that could be duped into giving up someone else's account password, the tactic that some have argued was used to break into Gov. Sarah Palin's e-mail earlier this week.

Google Inc.'s Gmail, Microsoft Corp.'s Windows Live Hotmail and Yahoo Inc.'s Mail all rely on automated password reset mechanisms that can be abused by knowing a username associated with an account and an answer to a single security question, according to quick tests run by Computerworld.

Computerworld reporters and editors were able to "break" into their own and colleagues' accounts on all three services, then reset passwords armed only with the account's username and the correct response to one of a limited number of common security questions, such as mother's maiden name, the name of a favorite pet or the make of a first car.

Some of the personal information that would provide answers to the security questions may be easily found by searching social networking sites or the Internet, the approach a hacker labeled as "rubico" claimed to have used to dig up the responses necessary to access Palin's account.

Hackers who know the username of an account -- which is often identical to the part of the e-mail address that precedes the "@" symbol -- and correctly type the CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart), the name for the distorted, scrambled characters meant to stymie automated bots, are faced with only a security question before allowed to change the account password.

None of the services required that the new password be sent to an alternate e-mail address -- although that was an option for all three -- and instead offered an all-online process.

Adam O'Donnell, director of emerging technologies at message security vendor Cloudmark Inc., said that automated password reset is the rule in Web-based mail, whether the service is free, like Yahoo, Hotmail and Gmail, or offered as part of the monthly fee by one's ISP.

"ISPs have razor-thin margins, and one call to the help desk to reset a password would wipe out the month's profit on that user," said O'Donnell in an interview yesterday.

At the time, although other security experts were skeptical of the hacker's claim to have accessed Palin's account through a password reset, O'Donnell had said it sounded "very plausible."

According to rubico, who some have speculated is the 20-year-old son of a Tennessee state legislator, the online research needed to reset Palin's password took just 45 minutes.

News Source: PC World

Samker's Computer Forum - SCforum.info

Other Webmail Services Share Password Reset Flaw
« on: 21. September 2008., 09:14:40 »

 

With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Verification:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters):www.codekids.ba:

Enter your email address to receive daily email with 'SCforum.info - Samker's Computer Forum' newest content:

Kursevi programiranja za ucenike u Sarajevu

Terms of Use | Privacy Policy | Advertising
TinyPortal 2.3.1 © 2005-2023