Yahoo to plug security hole in dating site
Fix comes after security expert finds clues in online profiles that could let intruders reset passwords.
The main problem is that Yahoo Personals ads contain clues about key personal information--namely birth date and ZIP code--that members also use to reset their passwords. If an intruder obtains that data, the only thing that would block him from changing passwords and accessing accounts are members' secret questions, such as "What's your pet's name?" "What is your favorite pastime?" and "What is your all-time favorite sports team?"
In the age of instant messaging and e-mail, answers to such questions are often easy to obtain with a bit of social engineering, said Bennett Haselton, a freelance programmer and Internet free-speech advocate in Seattle who discovered the weakness. "It's the kind of thing that you could ask someone without arousing their suspicion," Haselton said in an e-mail exchange.
The weakness weighs in low on the risk scale; it involves more effort than the average hack. And there's not much to gain. Yahoo Personals does not disclose credit card numbers or other data that could be used for financial gain on its members' account pages. In fact, most members use a screen alias, which further obscures their identity. "It requires a fair amount of time and work until you actually get into those accounts," said Sacha Faust, a senior research engineer at SPI Dynamics, a computer security firm in Atlanta.
Yahoo nonetheless pledged to fix the problem after CNET News.com alerted the company to it.
"Yahoo takes security very seriously and employs measures to help protect our users," Mary Osako, a company spokeswoman, said in a statement. "Upon learning of this issue, we immediately began working on a number of improvements, some of which are already in effect."
Specifically, Yahoo plans to change the way it updates the age field in members' profiles. Its current method could allow a hacker to guess a member's birthday, which could help the hacker, in turn, reset the member's password. There's a similar risk with ZIP codes, Haselton said. And it's possible to create an automated system to monitor the site for clues, he said.
While seemingly minor, the feature is an example of disjointed design, Haselton argued. "The password reset feature assumes your birth date and ZIP code are
semi-secret; the personal ads feature assumes they're not," he said via e-mail.To obscure birth dates, Yahoo will soon update age fields across the site once a month, a representative said.
Yahoo is not the only dating site to tip strangers off to its members' birthdays. Match.com, AmericanSingles and Lavalife all do too, Haselton said. But those sites also use various safeguards that make resetting passwords much harder than Yahoo Personals does, he added. Even so, birth dates are often used to verify identity, and these sites should do more to guard them, he said.
Representatives for Match.com and LavaLife declined to comment for this story. An AmericanSingles spokeswoman said the company is not concerned about the possibility of revealing birthdays because it conceals members' identities through the use of aliases. "Given that everything else is anonymous, we don't think that it's going to pose any risk for our members," she said.
Yahoo also plans to remove "What's your pet's name?" from the top of the list of nine secret questions people can choose from when setting up accounts, though it will remain in the list. The spokeswoman did not specify which question Yahoo will move to the top.
The move highlights how certain "secret questions," a popular security safeguard on the Web, can be a weak line of defense against a determined intruder. A famous example is the hack on Paris Hilton's T-Mobile Sidekick phone earlier this year. The hacker was reportedly aided by the fact that she had publicized the answer to her secret question--her dog Tinkerbell's name.
But even for noncelebs, answers to secret questions are often easy to guess, or they're the kind of information people don't generally think twice about disclosing to a relative stranger, like a potential date.
"I think the (Internet) industry needs to start revising that and asking harder questions," SPI Dynamics' Faust said. "Many people write very quick answers, something easy to remember. Then you're open to these minor socially engineered attacks."