Yahoo! - "Wish list"

Yahoo recently announced that it will open up email accounts that are inactive since over a year for registration to anyone that asks for it. Yahoo! is framing this as giving everyone the chance to an Yahoo ID of their choice.

As a lot of organisations and in particular web applications use e-mail addresses as part of authentication and identity management there are a lot of things that can expose Yahoo! e-mail users to potential risks should their de-activated e-mail address be claimed by somebody with bad intentions.

One plain obvious threat is that t email addresses that are publicly known (or can be found out individually) are subject to "theft" by being claimed by third parties. These can then proceed to reset the passwords of their 

Since their announcement Yahoo! is trying to retrofit some sort of security control into their process by trying to get the biggest players (Facebook) to implement a new e-mail header for password verification. For that reason Yahoo! pushed an IETF Draft called "Require-Recipient-Valid-Since Header Field".... mid July 2013.

It is not a Question of "IF"

This is merely an attempt at reducing the amount possible damages that will arise by the recently announced move of Yahoo!. There are so many reasons that e-mail addresses can be let dormant but remain important to the owner, especially if used to registration purposes.

It is also not a theoretical matter, password reset functionality is known to be a weak link and stealing identities and stealing e-mail address as the first hop is common. 

It is not a question of whether this new Yahoo! move will be abused, it will be.

A story from the Past

What few know is that Microsoft used to have a similar policy for HOTMAIL in the early 2000 per default. Accounts that had no active login since a certain period (I believe it was 60 days) where free to register again by anyone that wanted to.

This combined with the lax password recovery standards of Domain Registrars was perfect to hijack domain names that were registered with hotmail e-mail addresses. All that was required was registering the hotmail address that "timed-out" and asking for a new password to be sent to the admin-c hotmail address of that particular domain.

Back to my story - "Network Solutions" was my registrar of a quite popular security website of mine "TLSecurity" (some might remember), unfortunately their domain transfer process vulnerable and facilitate domain hijacking. The root cause was a predictable trackingnumber used to authenticate the domain transfer acknowledgement. As TLSecurity was popular around that time. it was of course, part of the so called "Proof of concept". (Tried to look but couldn't find the respective Full-Disclosure/Bugtraq Post)

Getting my domain back

As the domain name was hi-jacked by transferring it to a new owner I had  few options. One being to go to network solutions and complain and try to recover it this way. I figured that this would take some effort and wanted to proceed differently.

As the "researcher" used an email address as Admin-C contact I decided to simply wait 59 days, registered the Hotmail e-mail address that the "researcher" used and triggered account recovery and domain transfer back to myself. I had effectively counter-hijacked my own domain.


In other words it is the perfect way to perform domain hi-jacking by searching for domains names registered with an admin contact at yahoo and then try to claim this address. It is common to use a special type of e-mail addresses that you rarely use for this purpose as the email being public ends up being a spam hole.

Lot of registrars have their primary accounts identifier directly or indirectly tiedto the domain name admin e-mail account and thus all that would be required to get access  is a password reset.

A quick query at Domaintools listed nearly 6000 domains that have their registration info set to a Yahoo! e-mail address. I believe Yahoo should look into this as well. 

According to Yahoo "Recipients will be given 48 hours to claim their most-desired Yahoo! mail address, assuming it's become available. " after that users can be put on a list of Yahoo IDs they want to claim and will even be automatically notified should that name become available! That's very comfy for those that want to abuse this -  previously it was required to automate registration and bypass a captcha in order to constantly check for availability.

So my advice to anyone would be to login your yahoo account save it from de-activation – and avoid even the potentially small risk of opening your other personal accounts up to potentially malicious activity. Those that use Yahoo for Admin-C or as access to their domain management control panel I would recommend to change thei email provider all together.


Luke Sharkey said... @ 11 February, 2015 18:15

Hi, nice tool. Anywayr to change the SSL record layer to TLS?

Post a Comment