So as we all know Alaska Gov and VP candidate Sarah Palin’s Yahoo! email was hacked. The attack vector used by the hacker (allegedly the son of a Tennessee state rep) was the password reset feature on Yahoo. It could have happened to any Yahoo user – or could it?
Technically speaking this is not a software vulnerability, but rather a logic flaw – but who is to blame and what can you do to protect yourself from similarly being compromised?
The basis of password resets is that you’ve lost your password and need to reset, which is a valid concern. First off there should always be a primary email address that needs to get the password reset (but what if Yahoo mail is primary then right?). For the cases where a primary doesn’t exist and the challenge/responce method is used here’s a simple rule of thumb.
USE QUESTIONS THAT NO ONE ELSE ON EARTH KNOWS.
Palin’s account was allegedly breached because the challenge/responce asked questions for which the answers were all public knowledge. Surely this is a bit of naivete on the part of Palin. As a public figure with potentially confidential government information she should not be using a public email system that doesn’t have some form of strong two-factor authentication either.
So did Palin – deserve – to be hacked? Of course not, no one does (except if you’re at Defcon), but Palin and all web users should employ common sense for their challenge/response answers for password – and if you’re a public figure – just don’t do it at all since your life is bound to be an open book.