Last year Yahoo announced the decision to reset any account that has not been used for 12 months, making them available to other users. The decision has raised several doubts for security and privacy issues, the policy chosen by Yahoo could expose users to the risk of for identity theft, let’s imagine for example that a user share the same Yahoo email with other web services, the new owner of the account could impersonate the old one and request a password reset to gain access to all the services linked to that email (i.e. Facebook).
Facebook confirmed that its concern about the security of its account linked to a recycled Yahoo account that could be taken over by a recycled Yahoo email address.
Yahoo and Facebook have worked together to overwhelm the problem, their engineers have developed an SMTP extension dubbed Require-Recipient-Valid-Since (RRVS) which inserts a timestamp in the header of an email message. The timestamp is used to indicate when Facebook last confirmed ownership of the Yahoo account.
“If the account changed hands since our last confirmation, Yahoo can just drop the message, preventing delivery of sensitive messages to the wrong hands.”
“If the account changed hands since our last confirmation, Yahoo can just drop the message, preventing delivery of sensitive messages to the wrong hands,” explained Murray Kucherawy, a software engineer at Facebook.
Facebook on Thursday announced the RRVS Request for Comments draft RFC7293 was approved as a Proposed Standard by the IETF.
“The intended use of these facilities is on automatically generated messages, such as account statements or password-change instructions, that might contain sensitive information, though it may also be useful in other applications,” states the draft.
Using the RRVS extension, the sender is able to discriminate the recipient at a certain point-in-time.
“A receiving system can compare this information against the point in time at which the address was assigned to its current user,” the draft says. “If the assignment was made later than the point in time indicated in the message, there is a good chance the current user of the address is not the correct recipient. The receiving system can then prevent delivery and, preferably, notify the original sender of the problem.”
A few days ago, Facebook announced to gave developed a tool that mines paste sites such as Pastebin and Github searching for stolen credentials belonging to Facebook accounts. The company is aware of the value of the accounts in the criminal underground and how crooks used them for illicit activities, and recent activities, including the RRVS, are its response to prevent any abuse.
Security Affairs – (RRVS, identity theft, Require-Recipient-Valid-Since)