lundi 11 novembre 2013

Limits of Yahoo security

For the first time (and may be not the last one if you request it dear readers!) I will write this post in English.
Why? Well, the reason is that I have seen many questions related to Yahoo security in forums and I think this post may answer some of the current questions.

What is the story?

Every year I am used to demonstrate how to access to a Yahoo mail account using the well known Sarah Palin vulnerability for the security training I am in charge of. In other words my objective is to access to a Yahoo account using the answers to security questions found on social networks. And every year I see how Yahoo improves their security. Their last security update was to take into account your request to access to the account, but only 24 hours after your request. As my security training last 2 days, I was still able to demonstrate it.

But when I tried to do it this year (2013), I cannot access to security questions to reset my password. I had access only to my backup email. Arrgh!

After some tests I found a way to use my security questions again. How I did it? Here is the trick.
The idea is to lock your account. To do that you try to reset several times your password (you have to click on the link “I have forgotten my password” on the Yahoo login page). After several attempts (understand after several mails sent to your backup email account) then your account is locked and…and you will be able to reset it after 24 hours using your security questions again. Based on my experience we have to try to reset the password 4 times before locking the account.

We did it!

Here are some snapshots of the process.


The account is locked and we have to come back in 24 hours.


24 hours later,  again, we have to try to reset the password 4 times before being able to use the security questions. Below, we correctly answered the first security question and we have to answer the second one.


The second answer was correct and we can set the new password. Then we have access to the email account.

This approach is useful in at least 2 use-cases:
You have lost the access to your backup email and you cannot use it to reset your password
You want to access to the email account of your target (as usual here is a reminder: you are not allowed to do that and you can be prosecuted)

Note: if you create a new Yahoo email account now, you will not have the possibility to set security questions. This option seems to have been removed from Yahoo policy.

Note: This test was done in October 2013. Keep in mind that Yahoo is used to update the security behavior. So you may have to adapt this scenario!

Aucun commentaire:

Enregistrer un commentaire

Partager avec...