Security threats Toolkit

Yahoo security weakness revealed

Tags:
Security,
Account Details

Alorie Gilbert CNET News.com

Published: 21 Dec 2005 16:05 GMT

Yahoo plans to tighten security on its dating site after a security expert uncovered a method for breaking into members' accounts.

The main problem is that Yahoo Personals ads contain clues about key personal information — namely birth date and ZIP code — that members also use to reset their passwords. If an intruder obtains that data, the only thing that would block him from changing passwords and accessing accounts are members' secret questions, such as "What's your pet's name?", "What is your favourite pastime?" and "What is your all-time favourite sports team?"

In the age of instant messaging and email, answers to such questions are often easy to obtain with a bit of social engineering, said Bennett Haselton, a freelance programmer and Internet free-speech advocate in Seattle who discovered the weakness. Haselton said in an email exchange: "It's the kind of thing that you could ask someone without arousing their suspicion."

The weakness weighs in low on the risk scale; it involves more effort than the average hack. And there's not much to gain. Yahoo Personals does not disclose credit card numbers or other data that could be used for financial gain on its members' account pages.

In fact, most members use a screen alias, which further obscures their identity. Sacha Faust, a senior research engineer at SPI Dynamics, a computer security firm in Atlanta, said: "It requires a fair amount of time and work until you actually get into those accounts."

Yahoo nonetheless pledged to fix the problem after ZDNet UK sister site CNET News.com alerted the company to it.

A company spokeswoman said in a statement: "Yahoo takes security very seriously and employs measures to help protect our users. Upon learning of this issue, we immediately began working on a number of improvements, some of which are already in effect."

Specifically, Yahoo plans to change the way it updates the age field in members' profiles. Its current method could allow a hacker to guess a member's birthday, which could help the hacker, in turn, reset the member's password. There's a similar risk with ZIP codes, Haselton said. And it's possible to create an automated system to monitor the site for clues, he said.

While seemingly minor, the feature is an example of disjointed design, Haselton argued. "The password reset feature assumes your birth date and ZIP code are semi-secret; the personal ads feature assumes they're not," he said via email.

To obscure birth dates, Yahoo will soon update age fields across the site once a month, a representative said.

Yahoo is not the only dating site to tip strangers off to its members' birthdays. AmericanSingles, Lavalife and Match.com all do too, Haselton said. But those sites also use various safeguards that make resetting passwords much harder than Yahoo Personals does, he added. Even so, birth dates are often used to verify identity, and these sites should do more to guard them, he said.

Representatives for LavaLife and Match.com declined to comment for this story. An AmericanSingles spokeswoman said the company is not concerned about the possibility of revealing birthdays because it conceals members' identities through the use of aliases. "Given that everything else is anonymous, we don't think that it's going to pose any risk for our members," she said.

Yahoo also plans to remove "What's your pet's name?" from the top of the list of nine secret questions people can choose from when setting up accounts, though it will remain in the list. The spokeswoman did not specify which question Yahoo will move to the top.

The move highlights how certain "secret questions", a popular security safeguard on the web, can be a weak line of defence against a determined intruder. A famous example is the hack on Paris Hilton's T-Mobile Sidekick phone earlier this year. The hacker was reportedly aided by the fact that she had publicised the answer to her secret question — her dog Tinkerbell's name.

But even for non-celebs, answers to secret questions are often easy to guess, or they're the kind of information people don't generally think twice about disclosing to a relative stranger, like a potential date.

SPI Dynamics' Faust said: "I think the [internet] industry needs to start revising that and asking harder questions. Many people write very quick answers, something easy to remember. Then you're open to these minor socially engineered attacks."