1

I came across a serious issue with Yahoo! Mail that I hope someone would help to fix or raise awareness for.

I wanted to create an account on Yahoo! Mail. I entered my phone number to the Yahoo! login, and it asked me if I wanted to receive an access key. So I did that, and typed in the access key... Surprise, I logged in ACCIDENTALLY to the Yahoo! Mail of the previous owner of my current phone number! Someone had used the same phone number years ago and connected it to his Yahoo! mail, and once he stopped using the phone number it eventually was bought by me, and I used this phone number to gain access to his email! Yahoo! didn't even ask me for a name or email, just access to the phone number, and I was able to access his email. I immediately logged out.

Is this a normal thing? Looks like a very serious privacy issue... and Yahoo! could fix it just by requiring the person to enter the full name or email.

schroeder
  • 123,438
  • 55
  • 284
  • 319
Jack Patrick
  • 21
  • 1
  • 3
  • This is a known issue, its why people are so against 2FA based on phone numbers – TheHidden Feb 24 '20 at 11:38
  • Had you used this number for your account before or was this a new account? How did you receive the access key? Text message? – schroeder Feb 24 '20 at 11:40
  • Thanks for your quick replies! @TheHidden, please suggest some things we can do to inform Yahoo! of the seriousness of this. schroeder This was a new account. – Jack Patrick Feb 24 '20 at 11:41
  • @TheHidden this is a different issue. The username is the number. This isn't even 2FA, this is "1.5FA" – schroeder Feb 24 '20 at 11:41
  • Mr. Shroeder, I appreciate your helpful replies. Would there be anything we can possibly do to make Yahoo! change this? – Jack Patrick Feb 24 '20 at 11:43
  • @JackPatrick You want to fix this issue, but you can't. They will already know about this issue. – schroeder Feb 24 '20 at 11:43
  • Thanks again Mr. Shroeder, but, are you sure there is nothing that can be done? I mean, the solution is extremely simple: just ask the user to enter the email or his full name. – Jack Patrick Feb 24 '20 at 11:45

2 Answers2

1

This is a fundamental flaw in their system design. They are using a phone number as the username, and phone numbers, obviously, can change hands. They then send what amounts to be a password to the number without any authentication.

Just having the number, not even the original user's device, is enough to log in.

One could say that this is similar to using email addresses as usernames (because password reset tokens can be sent to the email), but email is protected by its own authentication. Over time, emails might also be abandoned and picked up by others, but that's not as common and changing numbers. And it is possible to clone phones and get access to numbers.

So, yes, this is an oddly rookie mistake on their part in overvaluing phone numbers. And they send the code without authenticating the password first.

Can this be fixed? Sure, but not as easily as you might think. This approach (phone as username) should not be fixed, this should be stripped from their system. And codes should only be sent after the password has been authenticated.

How do we inform Yahoo!? They know. They can't not know.

How do we force them to fix it? We can't.

Our response as consumers? Use a better email provider.

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • Thank you for your answer. Well, I think that simply requiring the user to enter his full name or email address would fix it, no? That is a simple solution. I do hope that Yahoo knows about this and fix it. If there is something you can do, please consider doing so. I appreciate your help once again. – Jack Patrick Feb 24 '20 at 11:56
  • Name and email are public info. If you know the number, one could get the previous person's name (phone books, contact lists, LinkedIn profile, etc.). There needs to be an authentication step. And no, there is nothing I can do. Even if I knew the CISO personally, it's not a simple fix. – schroeder Feb 24 '20 at 11:58
  • Thanks again, but the person wouldn't know the email and full name BEFORE having access to the email - since the only info he had back then would have been the phone number of the previous owner. Is there any privacy/tech expert I may contact in this regard? I will also attempt to message Yahoo customer service. Edit: true, but name and email aren't always public info, but good points. – Jack Patrick Feb 24 '20 at 12:00
  • Read my comment. By knowing the number, you can also discover the previous owner's name/email. That's before you get access to their Yahoo email. This ***is*** a place for privacy/tech experts. What do you want to ask them? – schroeder Feb 24 '20 at 12:08
  • I see what you mean, thanks. 1) what would you say is a good solution that Yahoo could adopt? 2) if you were in such a situation and you had forgotten your Yahoo! email, and your old phone number now belongs to someone else, what measures would you take to protect your privacy? – Jack Patrick Feb 24 '20 at 13:08
  • As I mentioned, a password should be authenticated first before the code is sent. What to do as the victim would depend on what options the service provided. – schroeder Feb 24 '20 at 13:52
  • Thanks again! Well, what does Yahoo! provide? I have contacted customer support, but to be frank, they ignored it politely. – Jack Patrick Feb 24 '20 at 14:27
  • Mr. Schroeder, in your opinion, what's the best way to start a petition to get Yahoo to change this? – Jack Patrick Feb 25 '20 at 06:52
  • There is no way, best or otherwise. – schroeder Feb 25 '20 at 07:20
0

See if you can use Google Voice as your SMS phone number.

Google Voice accounts are not susceptible to SIM Swapping or the normal SMS based attacks. It is still 1-factor -- which isn't great -- but that 1-factor can be secured by two factors (as it is tied to your Gmail account).

bones225
  • 123
  • 6