Update: Yahoo has fixed a Secure Sockets Layer (SSL) flaw that jeopardized the security of its business e-mail...
accounts by sending usernames and passwords in plaintext.
Ira Winkler, president of the Annapolis, Md.-based Internet Security Advisors Group (ISAG) and author of Spies Among Us, recently discovered the flaw with Yahoo's e-mail site, mail.yahoo.com.
"This flaw wouldn't take down the Internet," Winkler said in a phone interview. "But this put business travelers at risk because they are more likely to use vulnerable methods of communicating. The information of people using library computers, hotel Ethernet ports and airport wireless hotspots is vulnerable to something like this."
In a written analysis he submitted to SearchSecurity.com, Winkler described what he found:
Upon landing at the Yahoo Mail page, he said, "I saw a little note under the area that asks for user ID and password that read: 'New: Submits Over SSL.' In other words, Yahoo now offers encryption. I thought that was a good step forward, despite the fact that it should have already been in place long before now."
But after examining the URL more closely, he found it wasn't using Hypertext Transfer Protocol over Secure Socket Layer (HTTPS). Instead, he said, it was using "a mere HTTP, meaning that it wasn't apparently using SSL as it should." He eventually determined that the flaw only affected Yahoo Business E-mail accounts.
Business E-mail accounts continued to send out passwords in plaintext, also known as cleartext, "when authentication [was] launched from the initial sign-in screen rather than switching to a different screen, one that diverts the user to enter the same information again on the basic Yahoo Mail screen," he said, adding that the confidential data was at risk when users transmitted their account information using the initial screen, where it was exposed.
He said hashed passwords are subject to a variety of attacks, while SSL is a well-proven, robust protocol. "Basically," he added, "they are now giving their paying customers the same security that they give the free customers."
Yahoo spokeswoman Meagan Busath confirmed that the flaw was fixed in response to Winkler's discovery. She also noted that Yahoo is working to expand the use of SSL.
"Yahoo has offered SSL and other password encryption methods for many years," she said in an e-mailed statement. "As part of our ongoing security improvements, we are now gradually rolling out SSL as our standard Web log-in approach to deliver an industry-standard encryption protocol to all Yahoo users."
While the problem was ultimately addressed, Winkler said working with Yahoo on a resolution was frustrating, highlighting an industry-wide problem.
"This experience in trying to resolve the issue brings up a problem others in information security have encountered: getting a line to a company's security staff to alert them to the vulnerability," he said, nothing that it took about a day to get a response. "The most difficult part in discovering and analyzing this vulnerability was contacting Yahoo about the problem."
Busath said Yahoo has a publicly available e-mail address that members of the security community can use to report technical vulnerabilities regarding its applications and services if necessary. That address is firstname.lastname@example.org.
A day might seem like nothing compared to the lengthy process vendors like Microsoft and Oracle Corp. undergo when patching security holes. But Winkler said Yahoo's approach can't be evenly compared to that of Microsoft and Oracle.
"Microsoft has set up a specific way to report security problems," he said. "Yahoo doesn't have that."
Busath said Winkler's communication difficulties aside, Yahoo fixed the problem within a day and that in the end, only a small number of users was affected.