Speculation on Palin E-mail Hack
Assuming the mailbox hack is not an elaborate ruse, how did they do it?
Almost as bad as the Sprint PCS password reset fiasco that made the news in April, here is the Yahoo Mail password reset screen:
Assuming you guess the alternate e-mail correctly, Yahoo mails a password reset link to that address. So it’s likely that the attacker may have also had to gain access to her alternate e-mail account. Either that, or they exploited a vulnerability in the Yahoo password reset mechanism itself, which seems less likely but not implausible.
So Yahoo itself probably didn’t get hacked, per se, even though there will probably be a lot of FUD in the media about that.
Update 08/18/2008 1:00am EST:
Just found this writeup describing how it transpired: http://pastebin.com/f7fb944c5. Again, not vouching for the authenticity but it does seem plausible, and it’s consistent with my password reset theory. I guess my Yahoo account doesn’t have a secret question defined so I wasn’t presented that option when I tested the reset mechanism earlier today.
Just for fun, here’s the list of non-customizable secret questions Yahoo lets you pick from, as of tonight:
Veracode Security Solutions
Static Code Analysis
Vulnerability Scanning Tools
Web Application Security
Software Testing Tools
Source Code Security Analyzer
Software Code Security
Source Code Analysis