In the aftermath of Yahoo announcing the breach of 500 million user accounts, Trend Micro Zero Day Initiative (ZDI) researchers are warning that a password reset still leaves mobile mail wide open to criminals.
As the half billion consumers impacted by this breach know, Yahoo is recommending users update their password to rectify the situation. But ZDI noted that users who access their accounts from a mobile device are not being prompted to update their passwords. This allows anyone with the account credentials to continue accessing the email account, potentially gaining additional personal data to further attack the individual.
ZDI’s Simon Zuckerbraun said that he received a notification that his account was included in the breach. Like many others, he logged in to his account and changed his password. He then opened his iPhone Mail application since he had configured the app to use his Yahoo! account. He expected to be prompted for his new password and was more than a little surprised when he found it was not necessary. Even though he had changed the password associated with his Yahoo account, the phone was still connected.
“Upon investigating, it became clear that Yahoo had issued a permanent credential to the device,” ZDI noted, in an analysis. “This credential does not expire and is not revoked when the password changes. In other words, if someone already obtained access to your account and configured the iOS Mail app to use it, they would still have access to the account even after the password changes. What’s worse is that you would likely not even realize someone still has access to your email.”
Obviously, this could lead to a situation where millions believe they are protected even though they aren’t. And ZDI noted that, even for the security conscious, it’s hard to be diligent; associated devices aren’t listed under the “Account Security” tab in the web interface—rather, they’re non-intuitively listed under the “Recent Activity” tab. And in the phone settings, there’s no option via the app to change the password.
“Here you are able to see which applications are connected to your account with an option to remove them,” ZDI noted. “It’s also interesting to see the apps and devices are just listed by product name—in this case iOS—and the date authorized. It’s up to the user to figure out what is legitimate and what’s not.”
To stay safe, users should change their Yahoo password on the web and anywhere they may have reused the compromised Yahoo password with other online services. Then, set up two-factor authentication (2FA) or use Yahoo’s Account Key. Then go through the website to remove any associated devices.
Yahoo did not immediately respond to a request for comment. We will update the story with any statements from the online giant.
Photo © dennizen/Shutterstock.com