Poor programming makes Yahoo email insecure

Yahoo email users beware, bad guys can guess your password. Of course, it may take lots of guesses, but that's not a problem, thanks to some poor programming by Yahoo.

Original research by Ryan Barnett, director of application security research at Breach Security, was written up recently both on his blog and at The Register.

If you enter too many wrong passwords on the Yahoo webmail logon page, it eventually puts up a CAPTCHA, forcing you to prove you're a human being and preventing automated guessing. Fine. However, there is another interface to Yahoo's email system, one that does not go through the well-designed login page.

This alternate interface is a web application designed for Yahoo's partners. Companies that partner with Yahoo would like customers to be able to check their Yahoo email without transferring over to Yahoo.  So, Yahoo offers a way to login without ever seeing a Yahoo.com web page. But this alternate login mechanism has a couple vulnerabilities.

Perhaps the biggest issue is that bad guys can guess passwords forever without being interrupted by a CAPTCHA. In fact, they aren't interrupted at all. You would expect that after some number of wrong passwords, the account would be temporarily frozen to prevent automated guesses. Not here.

Worse still, the bad guys don't have to be employees of a Yahoo partner, Yahoo accepts alternate login attempts from anywhere and anyone.

What to do? If your Yahoo webmail password is a word in the dictionary, you really should change it.

Which brings up another problem, there are, according to The Register, "virtually no rules barring the use of weak passwords - "123456" is perfectly acceptable, for instance..." All the more motivation for the bad guys.

And, there's still another problem with the alternative login, the error messages are too good.

If you enter an invalid Yahoo userid on the normal website login page, the resulting error message doesn't say that the userid doesn't exist. But, the web application does. Thus, bad guys can also guess Yahoo email addresses and the system will happily report when they get one right. The result: More spam for Yahoo users.

Perhaps the worst aspect of all this is that Barnett discovered these flaws back in 2007, reported them to Yahoo back then, yet they still exist and are currently being exploited.
 
I pointed out another issue with Yahoo's webmail just last week, in my posting about VPNs. The system doesn't encrypt web pages, other than the initial login page. That alone, makes Yahoo a poor choice for use on any public network, be it Wi-Fi or a wired network in a hotel. 

All in all, a sad state of affairs.