Remember the Very Bad Idea of giving away dormant account user names that Yahoo came up with last year?
We didn’t like it. Nor did other security-minded people, who pointed out that attackers could request a password reset email from popular websites – say, Google or Facebook – in order to hijack the accounts belonging to the original Yahoo account owner.
It came as no surprise when in short order the new holders of the old accounts reported that they were still receiving mail meant for the accounts’ previous owners.
Now, Facebook says that by working with counterparts at Yahoo, they’ve together come up with a Very Good Idea to counter that Very Bad One.
As Facebook said in a post on Thursday, it’s going to thwart the possible hijacking of Facebook accounts via password change requests by using a timestamp within an email message to indicate when it last confirmed ownership of a given Yahoo account.
If the account changed hands since Facebook’s last confirmation, Yahoo can just drop the message, preventing delivery of sensitive messages to the wrong hands, according to Facebook software engineer Murray Kucherawy.
The new mitigation method relies on a new standard called Require-Recipient-Valid-Since (RRVS) that gives senders the means to indicate to receivers a point in time when the ownership of the target mailbox was known to the sender.
Facebook wants to help other online properties follow suit and has therefore documented the extension via the Internet Engineering Task Force. It recently became a Proposed Standard – find it at http://tools.ietf.org/html/rfc7293.
Yahoo, no doubt stung by criticism of its Bad Idea, started drafting the standard in July 2013 – just a few weeks after its June announcement of the account giveaway scheme.
There was much rejoicing, with cries of “Nice” and “AWESOME!” greeting Facebook’s timestamping announcement.
I couldn’t agree more, Mohamed A. Baset: This is indeed a “brilliant finish for a big problem.”
Nice, indeed – and it would be nicer still to see this spread to whatever other online services adopt the approach!