Yahoo, Hotmail, Gmail all vulnerable to password reset hack

Tactic used to access VP candidate's e-mail works on the top three services

Yahoo Mail isn't the only Web-based mail service that could be duped into giving up someone else's account password, the tactic that some have argued was used to break into Sarah Palin's e-mail last week.

Google's Gmail, Microsoft's Windows Live Hotmail and Yahoo's Mail all rely on automated password reset mechanisms that can be abused by knowing a username associated with an account and an answer to a single security question, according to quick tests run by Computerworld.

Computerworld reporters and editors were able to "break" into their own and colleagues' accounts on all three services, then reset passwords armed only with the account's username and the correct response to one of a limited number of common security questions, such as mother's maiden name, the name of a favorite pet or the make of a first car.

Some of the personal information that would provide answers to the security questions may be easily found by searching social networking sites or the Internet, the approach a hacker labeled as "rubico" claimed to have used to dig up the responses necessary to access Palin's account.

Hackers who know the username of an account -- which is often identical to the part of the e-mail address that precedes the "@" symbol -- and correctly type the CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart), the name for the distorted, scrambled characters meant to stymie automated bots, are faced with only a security question before allowed to change the account password.

None of the services required that the new password be sent to an alternate e-mail address -- although that was an option for all three -- and instead offered an all-online process.

Adam O'Donnell, director of emerging technologies at message security vendor Cloudmark, said that automated password reset is the rule in Web-based mail, whether the service is free, like Yahoo, Hotmail and Gmail, or offered as part of the monthly fee by one's ISP.

"ISPs have razor-thin margins, and one call to the help desk to reset a password would wipe out the month's profit on that user," said O'Donnell in an interview yesterday.

At the time, although other security experts were skeptical of the hacker's claim to have accessed Palin's account through a password reset, O'Donnell had said it sounded "very plausible."

According to rubico, who some have speculated is the 20-year-old son of a Tennessee state legislator, the online research needed to reset Palin's password took just 45 minutes.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags hackersGmailyahoo mailhotmail

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld
Show Comments

Father’s Day Gift Guide

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?