Palin-Styled Hacks

September 2008

Yahoo, Hotmail, Gmail all vulnerable to Palin-style password-reset hack. Google Inc.’s Gmail, Microsoft Corp.’s Windows Live Hotmail, and Yahoo Inc.’s Mail all rely on automated password-reset mechanisms that can be abused by anyone who knows the username associated with an account and an answer to a single security question, according to quick tests run by Computerworld. Computerworld reporters and editors were able to “break” into their own and colleagues’ accounts on all three services, then reset passwords armed only with the account’s username and the correct response to one of a limited number of common security questions, such as mother’s maiden name, the name of a favorite pet, or the make of a first car. Some of the personal information that would provide answers to the security questions may be easily found by searching social networking sites or the Internet. Hackers who know the username of an account – which is often identical to the part of the e-mail address that precedes the “@” symbol – and correctly type the distorted “CAPTCHA” characters are faced with only a security question before being allowed to change the account password.