Facebook, Yahoo Curb Identity Theft with New Email Ownership Header

A new SMTP header developed by Facebook and Yahoo confirms ownership of Yahoo email accounts.

Yahoo’s decision in June 2013 to reset accounts that had been dormant for 12 months and make them available to other users raised a number of security and privacy red flags. It was feared that the potential for identity theft would grow given that if an old Yahoo account was linked to another online service, the new user would need only request a password reset to gain access.

Yahoo promised to put mitigations in place to lessen that fear, and pointed out that fewer than 10 percent of inactive IDs were tied to Yahoo email accounts.

Facebook, for one, wanted an extra measure of assurance.

Working with Yahoo, Facebook engineers developed an SMTP extension called Require-Recipient-Valid-Since (RRVS) which inserts a timestamp in the header of an email message that indicates when Facebook last confirmed ownership of the Yahoo account.

“If the account changed hands since our last confirmation, Yahoo can just drop the message, preventing delivery of sensitive messages to the wrong hands.”

“If the account changed hands since our last confirmation, Yahoo can just drop the message, preventing delivery of sensitive messages to the wrong hands,” said Murray Kucherawy, a software engineer at Facebook.

Facebook on Thursday announced the RRVS Request for Comments draft RFC7293 was approved as a Proposed Standard by the IETF.

“The intended use of these facilities is on automatically generated messages, such as account statements or password-change instructions, that might contain sensitive information, though it may also be useful in other applications,” the draft says.

Facebook said its concern is the protection of its accounts connected to a recycled Yahoo account that could be taken over by a recycled Yahoo email address. Using the RRVS extension, senders can prevent messages from being sent to anyone by the intended recipient who owned the mailbox at a certain point-in-time.

“A receiving system can compare this information against the point in time at which the address was assigned to its current user,” the draft says. “If the assignment was made later than the point in time indicated in the message, there is a good chance the current user of the address is not the correct recipient. The receiving system can then prevent delivery and, preferably, notify the original sender of the problem.”

This isn’t Facebook’s first foray into protecting its users and email. In May, the company made a plea to email providers urging them to start supporting STARTTLS. In August, Facebook said that 95 percent of its outbound notification emails were successfully encrypted with Perfect Forward Secrecy and certificate validation in place with the sender and recipient.

Just last week, Facebook announced that it developed a tool that mines paste sites such as Pastebin, Github and hacker forums looking for stolen credentials that match those belonging to Facebook accounts. The move was a reaction to the rash of data breaches recently targeting stolen credentials. If a Facebook credential is found, Facebook said that it will notify the user in question.

That announcement came on the heels of another bit of news that Facebook will double bounty payments through the end of the year for vulnerabilities found in its advertising code.

Suggested articles

Discussion

  • Lex Luthor on

    RRVS may be fine for Facebook if it's implemented properly, but what about all the other thousands of services that will not be set up to include RRVS headers? This is a terrible terrible mistake by Yahoo, and a hacker goldmine. Imagine the rush by thousands of people grabbing as many really short yahoo addresses and popular name-based addresses as they can, and then trying them out on every imaginable online service to see if they can get password reset codes sent to that address. Stupid stupid stupid.
07/18/18 2:00
Changes in Andariel group’s script may indicate that the #hackers may start using attack vectors other than ActiveX: https://t.co/GeGPm5ri6X

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.