Yahoo’s decision in June 2013 to reset accounts that had been dormant for 12 months and make them available to other users raised a number of security and privacy red flags. It was feared that the potential for identity theft would grow given that if an old Yahoo account was linked to another online service, the new user would need only request a password reset to gain access.
Yahoo promised to put mitigations in place to lessen that fear, and pointed out that fewer than 10 percent of inactive IDs were tied to Yahoo email accounts.
Facebook, for one, wanted an extra measure of assurance.
Working with Yahoo, Facebook engineers developed an SMTP extension called Require-Recipient-Valid-Since (RRVS) which inserts a timestamp in the header of an email message that indicates when Facebook last confirmed ownership of the Yahoo account.
“If the account changed hands since our last confirmation, Yahoo can just drop the message, preventing delivery of sensitive messages to the wrong hands,” said Murray Kucherawy, a software engineer at Facebook.
Facebook on Thursday announced the RRVS Request for Comments draft RFC7293 was approved as a Proposed Standard by the IETF.
“The intended use of these facilities is on automatically generated messages, such as account statements or password-change instructions, that might contain sensitive information, though it may also be useful in other applications,” the draft says.
Facebook said its concern is the protection of its accounts connected to a recycled Yahoo account that could be taken over by a recycled Yahoo email address. Using the RRVS extension, senders can prevent messages from being sent to anyone by the intended recipient who owned the mailbox at a certain point-in-time.
“A receiving system can compare this information against the point in time at which the address was assigned to its current user,” the draft says. “If the assignment was made later than the point in time indicated in the message, there is a good chance the current user of the address is not the correct recipient. The receiving system can then prevent delivery and, preferably, notify the original sender of the problem.”
This isn’t Facebook’s first foray into protecting its users and email. In May, the company made a plea to email providers urging them to start supporting STARTTLS. In August, Facebook said that 95 percent of its outbound notification emails were successfully encrypted with Perfect Forward Secrecy and certificate validation in place with the sender and recipient.
Just last week, Facebook announced that it developed a tool that mines paste sites such as Pastebin, Github and hacker forums looking for stolen credentials that match those belonging to Facebook accounts. The move was a reaction to the rash of data breaches recently targeting stolen credentials. If a Facebook credential is found, Facebook said that it will notify the user in question.
That announcement came on the heels of another bit of news that Facebook will double bounty payments through the end of the year for vulnerabilities found in its advertising code.