Tuesday, October 4, 2016

Think changing your #Yahoo password is enough? Think again…

Like many others, Simon received a notification that his account was included in the breach. Like many others, Simon logged in to his account and changed his password. He then opened his iPhone Mail application since he had configured the app to use his Yahoo account. He expected to be prompted for his new password and was more than a little surprised when he found it was not necessary. Even though he had changed the password associated with his Yahoo account, the phone was still connected.
Upon investigating, it became clear that Yahoo had issued a permanent credential to the device. This credential does not expire and is not revoked when the password changes. In other words, if someone already obtained access to your account and configured the iOS Mail app to use it, they would still have access to the account even after the password changes. What’s worse is that you would likely not even realize someone still has access to your email.
This presents a couple of different problems. First, steps beyond changing your password are not being clearly communicated from Yahoo. This could lead to a situation where millions believe they are protected even though they aren’t. Additionally, even if you are security conscious like Simon and want to review your activity and devices, it’s not easy to find. Associated devices aren’t listed under the “Account Security” tab at all. As shown in Figure 1 (below), the “Account Security” tab has no mention of associated devices.

blog


Figure 1 – Yahoo Security Tab

 The setting actually exists under the “Recent Activity” tab (Figure 2). Here you are able to see which applications are connected to your account with an option to remove them. It’s also interesting to see the apps and devices are just listed by product name – in this case “iOS” – and the date authorized. It’s up to the user to figure out what is legitimate and what’s not.



blgo2








Figure 2 – Yahoo Recent Activity Tab

Looking at the phone settings (Figure 3) is of little help. Looking at the setting shows there is no option via the app to change the password. This is likely by design. When you set up your mail account on the device, it gets permanently credentialed until the credential is revoked through the server.





blgo3



Figure 3 – iPhone Mail Settings
While it’s unfortunate Yahoo’s official advice for securing a hacked Yahoo account makes no mention of checking for or removing associated apps and devices, it definitely should be on your list. In fact, your list should look something like this:
The steps users take after a breach notification often determine whether further account damage occurs. It’s unknown if the attackers will be able to decrypt stolen passwords or how they intend to use other leaked data. Regardless, if you change your password and review the associated devices, you’re less likely to be impacted. By understanding all the actions needed, you can exert some control over your account’s security.











blog.trendmicro.com

Bookmark and Share

Genesis mining promo code: CZL5k6