Sophos Cloud Optix
Remember the Very Bad Idea of giving away dormant account user names that Yahoo came up with last year?
We didn’t like it. Nor did other security-minded people, who pointed out that attackers could request a password reset email from popular websites – say, Google or Facebook – in order to hijack the accounts belonging to the original Yahoo account owner.
It came as no surprise when in short order the new holders of the old accounts reported that they were still receiving mail meant for the accounts’ previous owners.
Now, Facebook says that by working with counterparts at Yahoo, they’ve together come up with a Very Good Idea to counter that Very Bad One.
As Facebook said in a post on Thursday, it’s going to thwart the possible hijacking of Facebook accounts via password change requests by using a timestamp within an email message to indicate when it last confirmed ownership of a given Yahoo account.
If the account changed hands since Facebook’s last confirmation, Yahoo can just drop the message, preventing delivery of sensitive messages to the wrong hands, according to Facebook software engineer Murray Kucherawy.
The new mitigation method relies on a new standard called Require-Recipient-Valid-Since (RRVS) that gives senders the means to indicate to receivers a point in time when the ownership of the target mailbox was known to the sender.
Facebook wants to help other online properties follow suit and has therefore documented the extension via the Internet Engineering Task Force. It recently became a Proposed Standard – find it at http://tools.ietf.org/html/rfc7293.
Yahoo, no doubt stung by criticism of its Bad Idea, started drafting the standard in July 2013 – just a few weeks after its June announcement of the account giveaway scheme.
There was much rejoicing, with cries of “Nice” and “AWESOME!” greeting Facebook’s timestamping announcement.
I couldn’t agree more, Mohamed A. Baset: This is indeed a “brilliant finish for a big problem.”
Nice, indeed – and it would be nicer still to see this spread to whatever other online services adopt the approach!
“It’s going to thwart the possible hijacking of Facebook accounts via password change requests by using a timestamp within an email message to indicate when it last confirmed ownership of a given Yahoo account.”
Wait a minute. All a timestamp would seem to prove is that somebody (e.g., you or your imposter) confirmed (s)he owned a given Yahoo account.
But how does a timestamp prove who owns the Yahoo account? How will email recipients know that you – not your imposter – sent certain emails via Yahoo?
I think I’m missing something here.
Yahoo knows when it recycled or reissued a previously active username. So Yahoo will automatically drop the email if the RRVS timestamp in the email is before the username was recycled/reissued.
how does the genuine owner of fb account will recover his account if the person forgot his password for fb and lost access to yahoo id for more than a year which is recycled to someone else?
Did the person lost his facebook account?
Yes, they will not be able to recover their Facebook account via email if they no longer have access to the email account it is linked to. This has always been the case though.
Perhaps I’m bit confused, but I don’t understand the new process. A step-by-step example of how it works would be a huge help to me.
There are examples in the RFC.