June 19, 2019

Palin's email breached through weak Yahoo password recovery mechanism

This week’s breach of Sarah Palin’s Yahoo Mail account has been much discussed. One aspect that has gotten less attention is how the breach occurred, and what it tells us about security and online behavior.

(My understanding of the facts is based on press stories, and on reading a forum post written by somebody claiming to be the perpetrator. I’m assuming the accuracy of the forum post, so take this with an appropriate grain of salt.)

The attacker apparently got access to the account by using Yahoo’s password reset mechanism, that is, by following the same steps Palin would have followed had she forgotten her own password.

Yahoo’s password reset mechanism is surprisingly weak and easily attacked. To simulate the attack on Palin, I performed the same “attack” on a friend’s account (with the friend’s permission, of course). As far as I know, I followed the same steps that the Palin attacker did.

First, I went to Yahoo’s web site and said I had forgotten my password. It asked me to enter my email address. I entered my friend’s address. It then gave me the option of emailing a new password to my friend’s alternate email address, or doing an immediate password reset on the site. I chose the latter. Yahoo then prompted me with my friend’s security question, which my friend had previously chosen from a list of questions provided by Yahoo. It took me six guesses to get the right answer. Next, Yahoo asked me to confirm my friend’s country of residence and zip code — it displayed the correct values, and I just had to confirm that they were correct. That’s all! The next step had me enter a new password for my friend’s account, which would have allowed me to access the account at will.

The only real security mechanism here is the security question, and it’s often easy to guess the right answer, especially given several tries. Reportedly, Palin’s question was “Where did you meet your spouse?” and the correct answer was “Wasilla high”. Wikipedia says that Palin attended Wasilla High School and met her husband-to-be in high school, so “Wasilla high” is an easy guess.

This attack was not exactly rocket science. Contrary to some news reports, the attacker did not display any particular technical prowess, though he did display stupidity, ethical blindness, and disrespect for the law — for which he will presumably be punished.

Password recovery is often the weakest link in password-based security, but it’s still surprising that Yahoo’s recovery scheme was so weak. In Yahoo’s defense, it’s hard to verify that somebody is really the original account holder when you don’t have much information about who the original account holder is. It’s not like Sarah Palin registered for the email account by showing up at a Yahoo office with three forms of ID. All Yahoo knows is that the original account holder claimed to have the name Sarah Palin, claimed to have been born on a particular date and to live in a particular zip code, and claimed to have met his/her spouse at “Wasilla high”. Since this information was all in the public record, Yahoo really had no way to be sure who the account holder was — so it might have seemed reasonable to give access to somebody who showed up later claiming to have the same name, email address, and spouse-meeting place.

Still, we shouldn’t let Yahoo off the hook completely. Millions of Yahoo customers who are not security experts (or are security experts but want to delegate security decisions to someone else) entrusted the security of their email accounts to Yahoo on the assumption that Yahoo would provide reasonable security. Palin probably made this assumption, and Yahoo let her down.

If there’s a silver lining in this ugly incident, it is the possibility that Yahoo and other sites will rethink their password recovery mechanisms, and that users will think more carefully about the risk of email breaches.

Comments

  1. The Internet is serious business, and I am hopeful that Yahoo learns its lesson and improves this weak link in their security. As far as the hacker’s prowess, you have a pretty good description of most of the stuff that goes on over at 4chan: it is a pretty stunning display of “stupidity, ethical blindness, and disrespect for the law.” QFM.

  2. I don’t trust any password recovery mechanisms. So I always answer with random password-like answers to such recovery questions, e.g. question: “Where did you meet your spouse?”, answer: “sxl6qgtpl9hdko”. Of course, the drawback is that if I forget my password and my random answer I will not be able to access my account. That hasn’t happened with me so far.

  3. I do love this site if only because this is by far the most dispassionate and even handed account of the incident I have read. Basically most blogs have covered this with either barely contained glee that someone stuck it to the eeeevil (but ludicrously stupid) Republican VPILF from Alaska or that there is some insidious liberal hacker who wants to burn St. Joan of Arc II at the stake by rummaging through her email. In reality the only real take away is that if the only thing between your email being invaded and it being safe is “where did you meet your husband” it is probably best to answer it “my favorite color is green and we met in the high school that we both went to @@@!!!”

    • You said:
      it is probably best to answer it “my favorite color is green and we met in
      the high school that we both went to @@@!!!”

      You’d still have to give significantly different answers to each and every website with that particular recovery question, however, unless you trusted every one of them.

      This is why I appreciate sites which also let me set the question (like Google, IIRC).

  4. …is that the “hacker” so completely shot himself in the foot. He posted a screen capture of most of the ctunnel.com link he used allowing ctunnel’s owner to find out who it was.

    Very obviously this could have happened without anyone ever knowing who did it.

  5. <blockquote>
    Still, we shouldn’t let Yahoo off the hook completely. Millions of Yahoo customers who are not security experts (or are security experts but want to delegate security decisions to someone else) entrusted the security of their email accounts to Yahoo on the assumption that Yahoo would provide reasonable security. Palin probably made this assumption, and Yahoo let her down.
    </blockquote>

    I have a problem with this. My understanding is that Yahoo accounts are handed out for free, with a written “all care no responsibility” agreement. Having government protect foolish people from their own foolish mistakes is a road to nowhere.

    Yahoo should be completely let off the hook in this particular case because their service was being used in an inappropriate manner. Palin must have been explicitly told NOT to use such accounts for official business and she willingly disobeyed, figuring she knew better. Yahoo don’t provide government grade security, and they never will. This is not a matter of an accidental slip up, it is a matter of willfully ignoring multiple warnings and direct instructions not to follow this path. I’m sorry maam, you have voided your warranty, please read the installation guide next time.

  6. Tel,

    I didn’t mean to suggest criminal sanctions against Yahoo. All I meant was that, in my opinion, they’re partly at fault here. Even if Yahoo’s user agreement says they’re not at fault for anything, I still think they deserve some blame. Companies put language like that into user agreements all the time. Users read that language as meaning “you can’t sue us” not as “we haven’t taken reasonable precautions”.

    Bear in mind, too, that Yahoo applies this level of protection to all of its customers. They didn’t lower their protection because of how Palin used the account.

    And where are the “multiple warnings” that you say were wilfully ignored? Where does Yahoo warn its users that their email will be so weakly protected?

  7. Palin would have been given clear instructions as part of taking the office of Governor — how to use official email for official business and NOT to use random free email accounts for anything even remotely sensitive. As both a Governor and as a candidate for the White House, she has access to professional security staff who are paid to explain these things, and it is Palin’s job to listen to them.

    Anyone even mildly awake would remember the business with Karl Rove and the deleted emails, after all that you would think it was clearly understood by all that running state business through something like Yahoo would be unthinkable.

  8. A basic problem in security these days is that we give people a certain amount of instruction on how to pick a good password, but we almost never add the extra step of pointing out that “security question” answers are also just another kind of password. And using a placename for a password is a bad idea.

    I’d love to have you as a guest on the video cast Security Provoked that I recently launched with CSI to talk about the Palin thing and the general state of security for public mail services like Yahoo’s. You do it from the comfort of your own webcam and it generally takes no more than 20 minutes. Love to have you on.

    Best,

    Robert

  9. Anyone even mildly awake would remember the business with Karl Rove and the deleted emails, after all that you would think it was clearly understood by all that running state business through something like Yahoo would be unthinkable.

    You don’t think it’s crystal clear that Rove’s example was exactly why Palin did it? I’d have to say that anyone even mildly awake would see that this was obviously the case.

    From the NYT: “While Ms. Palin took office promising a more open government, her administration has battled to keep information secret. Her inner circle discussed the benefit of using private e-mail addresses. An assistant told her it appeared that such e-mail messages sent to a private address on a “personal device” like a BlackBerry “would be confidential and not subject to subpoena.”

    • I’m not going to double-guess whether Palin was stupid, ignorant, or corrupt or all the above. It’s not my job to look inside her head. All I’m saying is that she had every opportunity to act appropriately and for whatever reason she chose not to. Blaming Yahoo here is completely unreasonable. Yahoo was never designed for commander-in-chief grade security, or even business grade security.

      Trying to make service providers (especially FREE service providers) responsible for the obviously inappropriate decisions made by members of the general public is unfair, unproductive and will not even encourage good decisions to be made in future. It will only serve to chill future innovation.

  10. Yahoo is clearly not to blame for this. Pallin was being an idiot by using a free email provider for sensitive information.

    Yahoo needs a robust password recovery mechanism that even an idiot could use. I no longer have access to the email I used to sign up to yahoo, so if I can’t answer my recovery question and forget my password I won’t have access to my email. Yahoo has decided to make the service more user-friendly at the expense of security by making the password recoverable even after an email change, considering that it’s not supposed to be used for sensitive information this is a completely reasonable decision on yahoo’s part.

  11. Jim Horning says:

    … with many sites’ password recovery mechanisms is that the list of offered questions is so small, and so often each one involves information that is easily discovered online.

    When presented with such a choice, what I do is make up an answer, and put it in a safe place. How are they to know that my first pet was not named GodzillaBumptious IV?

    You might ask why I don’t just put my password in a safe place. It is my experience that with many sites my perfectly-remembered (alright, stored in a safe place) password will occasionally start being rejected, and I have to ask for a reset to get going again. The less frequently I use a site, the more likely it will refuse my password the next time I do use it. Perhaps this is an indication of bit rot on the servers? 🙂

    Jim H.

  12. I’m with Tel and Catty…

    In general people (especially those running for public office) should be aware that on some level you get what you pay for. On a free service, you simply can’t expect serious security. You don’t send a kid from the high school wrestling team to protect a Brinks truck. So don’t send high value information protected with low value security.

    For the vast majority of us who aren’t listed in Wikipedia, the security questions are probably quite strong enough. Among the several thousand people who have ever known me, there are probably not more than half a dozen (if that many) who know the name of my first pet. Were I running for VP, however, that is undoubtedly one charming detail that would be trotted out to endear me to the American public. When you become a public figure, a lot more of your personal information shows up in public. At that point, there is no reasonable expectation of privacy on the level of Yahoo security questions, and you should no longer be relying on services like Yahoo for communicating sensitive information. Sure, if you want to use it for telling your kid to do her homework, that’s appropriate, but not for talking about political strategy. It was particularly stupid to select a username like sarah.gov, which is kind of a dead giveaway, but even if she had used something like muffymoose, it still would have been risky, for the same attack…just harder to identify the right account.

    From Yahoo’s perspective, I don’t see why they would want to do anything much more serious security-wise. Think about it…if they put in better security features, chances are more people would be locked out of their accounts more often, and would either be pestering the support staff for help getting back in or they would be setting up more accounts, and leaving large numbers of locked out accounts hanging around. Both of these scenarios lead to higher support costs for Yahoo (not to mention potentially higher costs for implementing better security). And being the free service that they are, why would they want to spend extra on security, when the existing mechanism is adequate for the vast majority of their customers who are not public figures?

    It’s interesting that this is the first description of the attack that I’ve seen. I’d like to see more public discussion and awareness about what is and is not appropriate or safe to be sending around on services like Yahoo. Where’s the media?

  13. If she had used her alaska.gov email address for all her crooked deals, it would not have been so easy for the kid to crack in.

    • here here!

    • Anonymous says:

      The point of using a third-party email might have been to conceal the “crooked deals” from monitoring or auditing of some sort, perhaps including possible future subpoenas. The risk being that it would become visible to other third parties and might be less secure in other ways also. Mitigated by obscurity — if the account name was something like “” rather than “” and logins were made via proxies or from home.

      In short, she gambled and she lost.

      Encryption might have been wise, combined with use of a third-party mail server and TOR to access it. That would make casual hacking futile and better shield the stuff against legal discovery procedures.

      Fortunately, though, our corrupt politicians are not very tech savvy; many of them probably react to problems with the series of tubes by reaching for the nearest can of Drano.

  14. I find the Sarah Palin Yahoo! hack saga disturbingly of a piece with the recent case of DHS consulting Wikipedia to deny an asylum appeal. Namely, it seems there are more than a few people in potentially high-stakes government positions with insufficient understanding of the limits of modern communications and research technology.

  15. “First, I went to Yahoo’s web site and said I had forgotten my password. It asked me to enter my email address. I entered my friend’s address. It then gave me the option of emailing a new password to my friend’s alternate email address, or doing an immediate password reset on the site. I chose the latter.”

    hello,
    the thing is, i can’t access my friend’s yahoo email,
    and she’s asked me to.
    but, the second step is different from yours!
    the only option availabe is “immediate password reset on the site”, and that is not
    possible, cuz she doesn’t remember which country did she write
    when she registered few years ago..
    could you please post a link to a “yahoo emails you your password” option?

    Thank you!