security

Yahoo! Mail: Expired/Inactive Recovery Email Exploit on Resetting Passwords

Phoenix Eve Aspacio

Sep 7, 2018 — 2 min read

Summary:

This vulnerability report describes how an attacker could obtain access to (pressumably) any Yahoo! Mail account by resetting the password through recovery email which was re-registered after previously deactivated (because of inactivity) by an external freemail provider. Or, reset the password of a Yahoo! Mail account whose recovery email's domain was hijacked or has been purchased by a third-party entity, which can reset the linked accounts by just using the reset-password-mechanism.

Description:

Many freemail providers like Microsoft's Outlook/Hotmail (or maybe Yahoo! Mail) emails are being automatically deactivated due to account inactivity (eg. not being able to login after 5 years). This means that the said auto-deactivated email addresses are now free for any user to re-register. BUT WHAT IF -- a stranger re-registered the email address which was linked as a recovery email to a currently active Yahoo! Mail account? This is where the exploit can be used: The stranger can now use the standard process of resetting the password or obtain access to a Yahoo! Mail account by sending a code to the hijacked recovery email.

Same problem goes to when a Yahoo! Mail account was linked to a recovery email in an email address of a private domain like "example.com" which was then bought by a no-longer affiliated entity, who can also access the recovery emails of the Yahoo! Mail accounts.

Browsers Verified In:

Google Chrome Version 68.0.3440.106 (Official Build) (64-bit)

IP Address:

110.54.132.199

Steps to Reproduce:

(Add details for how we can reproduce the issue)

Create an account in Microsoft Outlook/Hotmail or any email provider. (eg. old.email@outlook.com)
Create a new Yahoo! Mail accocunt. (eg. new.email@yahoo.com)
Link the old email address as a recovery email to the new Yahoo! Mail account.
Wait until the old email account (recovery email) has been deactivated due to inactivity. (This could take a very very very long time)
The attacker re-registers the my old email account as his/her own email.
The attacker resets my password using my old email account as a recovery email to hack my Yahoo! Mail account.

Supporting Material/References:

None

Impact

The attacker could obtain full access to the victim's account which could lead to countless issues like frauds and hacks on other social media accounts.

Update

I have posted a bug report on Yahoo! Mail's HackerOne bug tracker and this is what I got:

Ang Akong Papa

Akong mahinumduman sauna nga Akong papa, si-aw kaayo, hinagad og tawo, pero medyo buluyagon. Sa iyang kinabuhi, daghan siyang nabuhat nga maayo, daghan siyang natabangan nga tawo, ug labaw sa tanan daghan siyang napalipay nga tawo. Maayo gyud kaayo akong papa basta sa laing tawo. Pero sa iyang pagkamaayo sa

Free Email Services: Potential Issue on Security and How They Help Hacking Facebook Easier – Expired Recovery Email Exploit on Resetting Passwords

Vuln Type: Account Takeover Product Area: Facebook - Web Description/Impact: Description === This vulnerability report describes how an attacker could obtain access to (pressumably) any Facebook account by resetting the password through recovery email which was re-registered after previously automatically-deactivated (because of inactivity) by an external freemail provider, like old

Only Fools Die

Life has not been perfect for me and never will it be. And what the hell, was it ever perfect and whose life was ever perfect, anyway?

My Life as an Ugly Individual and Why It Doesn't Suck (Anymore)

As my high school teacher once said... Why problem a problem that has no solution? And why problem a problem that has a solution?