- Related Stories
-
Police blotter: Nude 'profile' yields Yahoo suit
December 9, 2005 -
True love with a criminal-background check
February 28, 2005 -
Paris Hilton's cell phone hacked?
February 21, 2005
The main problem is that Yahoo Personals ads contain clues about key personal information--namely birth date and ZIP code--that members also use to reset their passwords. If an intruder obtains that data, the only thing that would block him from changing passwords and accessing accounts are members' secret questions, such as "What's your pet's name?" "What is your favorite pastime?" and "What is your all-time favorite sports team?"
In the age of instant messaging and e-mail, answers to such questions are often easy to obtain with a bit of social engineering, said Bennett Haselton, a freelance programmer and Internet free-speech advocate in Seattle who discovered the weakness. "It's the kind of thing that you could ask someone without arousing their suspicion," Haselton said in an e-mail exchange.
The weakness weighs in low on the risk scale; it involves more effort than the average hack. And there's not much to gain. Yahoo Personals does not disclose credit card numbers or other data that could be used for financial gain on its members' account pages. In fact, most members use a screen alias, which further obscures their identity. "It requires a fair amount of time and work until you actually get into those accounts," said Sacha Faust, a senior research engineer at SPI Dynamics, a computer security firm in Atlanta.
Yahoo nonetheless pledged to fix the problem after CNET News.com alerted the company to it.
"Yahoo takes security very seriously and employs measures to help protect our users," Mary Osako, a company spokeswoman, said in a statement. "Upon learning of this issue, we immediately began working on a number of improvements, some of which are already in effect."
Specifically, Yahoo plans to change the way it updates the age field in members' profiles. Its current method could allow a hacker to guess a member's birthday, which could help the hacker, in turn, reset the member's password. There's a similar risk with ZIP codes, Haselton said. And it's possible to create an automated system to monitor the site for clues, he said.
While seemingly minor, the feature is an example of disjointed design, Haselton argued. "The password reset feature assumes your birth date and ZIP code are
See more CNET content tagged:
Bennett Haselton, Yahoo! Inc., password, account, security
it. I hate meeting gals in a bar...they either drink too much, or
smoke, and are usually bar regulars. Their social life revolves
around the bars. I also seldom met anyone with any sort of a
future there. Yahoo then, was perfect. I met a better class of
people, and had plenty of dates, when ever I wanted them. Most
were decent dates also. Then yahoo got the brainstorm to begin
charging for its' services, and everything changed. I have never
met so many psychos in my life, and the free exchange of
information has been very much throttled. If Yahoo were to
disappear tomorrow...I would not remotely miss it. I very much
prefer MySpace...but have problems with scammers and hackers
constantly on there. They need better screening, and more
protection for data. Someone erased my profile recently...not me
either. and I cannot effectively contact them about it. Then
again...try contacting Yahoo!