What does the Sarah Palin e-mail hack say about Yahoo?
There's an underlying issue in the debate raging about the reported hack into the Yahoo e-mail account of VP nominee Sarah Palin, and it actually has very little to do with the governor: Is there an e-mail vulnerability we should know about?
Though a Fox News report from commentator Sean Hannity yesterday credited anonymous individuals who regularly post to a massive random image posting site called 4chan, with the revelation of screen shots of Alaska Governor Sarah Palin's private e-mails -- including some that may play a role in an ongoing investigation -- the existence of the account's location may actually have been first publicly disclosed by, of all places, the Washington Post. A September 10 article by reporter Karl Vick reported that Palin had apparently been using one or two Yahoo e-mail accounts to conduct state business, with concern being cast upon the relative security of any private transactions that took place there.
But in reporting this, Vick actually posted the e-mail address in question. Though he did not post the accompanying password, it isn't too farfetched to presume that someone may immediately have attempted logging in as the Governor, using some permutation of "hockeymom" or "lipstickpig."
Another very real possibility is that the type of person whose online exploits would eventually lead to the posting of Palin's e-mail screenshots on 4chan, wouldn't have been reading the Washington Post anyway. In which case, a more crafty malicious user may have actually gained access to a list of active accounts, finding at least two that were obvious giveaways as to the Governor's identity. BetaNews has contacted Yahoo today about whether it has investigated this possibility, and we've been told to expect a response later today.
A simpler, though still feasible, method may involve a little bit of engineering, though still targeted at Gov. Palin's address directly. Back in 2004, security engineers uncovered an exploit of Yahoo's e-mail servers that enabled an individual to bypass the service's filters, and send a message filled with an enormous amount of junk content, followed by script code. The junk content would flood the system, triggering an overflow; but then the script code would be executed, delivering full information about the recipient's account back to the sender.
Yahoo reported having addressed and fixed that overflow bug that year, though with many other software and services vendors historically, we've seen instances where malicious users have been able to simply tweak the means of attack, try again, and be successful.
Another strange but real possibility is that the Governor, or whoever manages her account, may have fallen victim to a phishing scheme. One successful social engineering attack in 2005 involving Yahoo mail, gave recipients a message pretending to come from Yahoo's own offices, pretending to give the recipient the means to retrieve someone else's lost e-mail password using her own. The message gave explicit instructions as to how to format the password retrieval message; someone following those instructions to the letter would have been formatting data in the precise method required for the malicious user's script to absorb the requester's own password, and enter it into a database.
Evidence of having fallen prey to such a scheme may lie in the Governor's own messages, which have now to some extent been made public.
In the wake of Fox News' accreditation of the hack to someone on 4chan, a new wave of attention has been cast upon what BetaNews discovered to be a completely tasteless and obscene cesspool of material, very little of which concerned anything the least bit intellectual in nature. Though some are now crediting anonymous 4chan users with having the sensibility to have removed the e-mail account's screenshots from public view, the truth is, in our own tests (which, quite frankly, make me want to take a long bath in bleach), we found no evidence that the location from which the posts were originally made (which we did find) was being maintained by anyone who could have performed the actual hack. In other words, we think the screenshots were obtained second-hand, if not third or fourth.
In the end, the disclosure of what one sender of e-mail confirmed to major press sources as legitimate e-mails from the Alaska governor's office, may turn out to be a hack conceived not so much out of deceit as much as by default.