Speculation on Palin E-mail Hack

Assuming the mailbox hack is not an elaborate ruse, how did they do it?

Almost as bad as the Sprint PCS password reset fiasco that made the news in April, here is the Yahoo Mail password reset screen:

As you can see, you need to know the user’s birthday, country of residence, and postal code. Not difficult information to dig up in Palin’s case. After you enter this information correctly, you are asked to type in the alternate e-mail address that’s associated with the account. But they give you hints — so if your alternate e-mail was sarah@alaska.gov, they would show you s****@a*****.gov.

Assuming you guess the alternate e-mail correctly, Yahoo mails a password reset link to that address. So it’s likely that the attacker may have also had to gain access to her alternate e-mail account. Either that, or they exploited a vulnerability in the Yahoo password reset mechanism itself, which seems less likely but not implausible.

So Yahoo itself probably didn’t get hacked, per se, even though there will probably be a lot of FUD in the media about that.

Update 08/18/2008 1:00am EST:

Just found this writeup describing how it transpired: http://pastebin.com/f7fb944c5. Again, not vouching for the authenticity but it does seem plausible, and it’s consistent with my password reset theory. I guess my Yahoo account doesn’t have a secret question defined so I wasn’t presented that option when I tested the reset mechanism earlier today.

Just for fun, here’s the list of non-customizable secret questions Yahoo lets you pick from, as of tonight:

And they sure don’t make it easy for you to update your secret question, do they? (must be logged in to Yahoo for that link to work)

Veracode Security Solutions
Veracode Security Threat Guides

Palin Yahoo Email Hacked | SecuraBit | September 17, 2008 3:18 pm

[...] Eng (guest on Securabit Episode 7) has posted some commentary on what he thinks might have happened to the account.  What are your thoughts on this matter?  Is [...]

Chris Eng | September 17, 2008 3:52 pm

Chatting w/Billy Rios on Twitter earlier, he pointed out that even though Yahoo requires an alternate e-mail address when signing up for an account today, maybe if you created your account several years ago (as Palin probably did) that requirement didn’t exist. In which case, maybe the birthday, country, and postal code would have been sufficient to carry out the password reset. Anybody with an old Yahoo Mail account to test this theory?

Chris Wysopal | September 17, 2008 8:03 pm

I just tried this with my Yahoo account which isn’t more that 3 or 4 years old. When I say I forgot my password it asks if I can still access my alternate email account. I can opt “no” which is a major security downgrade. Then it asks me my secret question such as pet’s name. If I know the answer I get to reset my password.

My guess is the attackers did this and selected that they couldn’t access the alternate email account. Then they guessed the answer to Gov. Palin’s secret questions. If it was “what is your pet’s name”, that information may be public.

I think it is a bad idea to do anything more than personal, friendly chit chat on Yahoo Mail.

Chris Wysopal | September 17, 2008 8:58 pm

A poster up on 4chan.org claims this is how he did it:

after the password recovery was reenabled, it took seriously 45 mins on wikipedia and google to find the info, Birthday? 15 seconds on wikipedia, zip code? well she had always been from wasilla, and it only has 2 zip codes (thanks online postal service!)

the second was somewhat harder, the question was “where did you meet your spouse?” did some research, and apparently she had eloped with mister palin after college, if youll look on some of the screenshits that I took and other fellow anon have so graciously put on photobucket you will see the google search for “palin eloped” or some such in one of the tabs.

I found out later though more research that they met at high school, so I did variations of that, high, high school, eventually hit on “Wasilla high” I promptly changed the password to popcorn and took a cold shower…

links for 2008-09-17 (Jarrett House North) | September 17, 2008 9:00 pm

[...] Speculation on Palin E-mail Hack …and here's how they could have done it. Not every hack requires the knowledge of exploiting buffer overflows and SQL injections… sometimes there's just plain bad design at work. (tags: 2008 election palin security) [...]

MikeA | September 17, 2008 11:56 pm

Perhaps a question, one that I’ve not heard many people ask during all this is…

Could it be an insider attack?

All these other attack methods are certainly a good possibility, but there’s plenty of people inside Yahoo, lots “democratic” in nature, and I’m not sure about Yahoo, but most companies are pretty open from the inside. There’s certainly a (perhaps small) likelihood that someone inside Y! could have “thrown a switch” or “leaked info” about the account. It’s not as if Y!’s don’t have enough to be pissed off about already, and job security isn’t exactly top of the agenda either.

Just a thought.

Chris Eng | September 18, 2008 12:08 am

@Chris Wysopal: Weird, when I tried that “can’t access alternate e-mail account” option, it told me my password couldn’t be reset online. Maybe I don’t have a secret question defined.

@MikeA: Sounds like this was so easy that no insider info was required.

MikeA | September 18, 2008 4:19 am

Yep, after seeing the new details come out, I agree it doesn’t look like an inside job at all – as you said Chris, it was far too easy (which is sad in-and-of-itself). If these people get in they will be in charge of our nuclear codes. Who’s betting that it won’t be something like ’1234′ ;)

MikeA | September 18, 2008 4:29 am

Crap, sorry, met to post this as well.

http://www.theregister.co.uk/2008/09/18/palin_email_investigation/

Apparently the guy was behind a proxy (says so in his write up), and could easily be traced now. Also seems that nothing substantive was found in the account because it was the gov.palin@yahoo.com account instead of gov.sara@yahoo.com – don’t know about you, but I separate out email accounts to work/personal, and the wrong one (well, at least the one everyone was speculating about the contents) was hacked. However, I can’t imagine that having access to one wouldn’t get you access to the other – I could easily see password/information sharing going on.

Zero Day mobile edition | September 19, 2008 8:42 am

[...] Chris Eng pointed out, you should carefully scrutinize the password reset policy used by the webmail [...]

Take Business Email Seriously | Seo Vancouver Island | February 7, 2009 5:15 pm

[...] The biggest news item was VP candidate Sarah Palin’s use of Yahoo Mail for government business. Apparently, the email account was not breached by any high level hacker attack, but by a weakness in the Yahoo Password Reset. [...]

Palin Yahoo Email Hacked « SecuraBit | March 13, 2012 11:43 am

[...] Eng (guest on Securabit Episode 7) has posted some commentary on what he thinks might have happened to the account.  What are your thoughts on this matter? [...]

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

RSS feed for comments on this post