Who needs hackers? Palin e-mail hack reveals obvious vulnerability

The tell-all autobiography of the person who broke into Gov. Sarah Palin's Yahoo address may not have much to say. Assuming his story checks out -- and it's looking likely that it will -- the method he used was all too easy.

Of the four technical possibilities that BetaNews speculated yesterday could be linked to the means by which someone hijacked the Yahoo e-mail account of Alaska governor and Republican vice presidential nominee Sarah Palin this week, the actual method may have ended up being far simpler than we surmised.

This morning, the Nashville Tennessean reported that the son of a Democratic state representative is being investigated as perhaps being the anonymous person who originally broke into Gov. Palin's account, and then bragged about doing so to the Associated Press. In its own story, the AP says it received a request from the US Secret Service to turn over information about its anonymous source, but the AP declined to comply.

In that interview as described by reporter Ted Bridis, the anonymous individual admits to having obtained access to the name of Gov. Palin's Yahoo account through public sources. Most likely, it was the Washington Post that publicly disclosed the account's name.

As the source went on to say, although guessing the Governor's password might have been a difficult matter, he didn't have to go that far. Yahoo lets an individual change his password if he claims to have forgotten it, and if he can answer a single "challenge question."

When someone needs to retrieve his lost Yahoo e-mail password, he gets a challenge question like this one.

When someone needs to retrieve his lost Yahoo e-mail password, he gets a challenge question like this one. But is this the kind of question that anyone who knows this person can easily answer?

While Yahoo does employ an alphanumeric graphic pattern of random, distorted characters -- such as "sG3e0&" -- to disable automatic scripts from being able to hack into the system, the single challenge question could very well be, in the case of a very public figure, another fact that may end up in the public domain. In this case, the source said, the question was where the account holder first met her sweetheart? The answer was known to anyone who saw Gov. Palin's recent interview with ABC News: Wasilla High School.

This revelation raises the possibility that any public figure with an e-mail account on a public service provider such as Yahoo or Google (Gmail), might need to protect her account with something the general public cannot easily guess. In Gmail's case, the challenge question can be changed to a clue that may only have meaning to the account holder.

Yahoo appears to have suspended further comment on the matter, probably pending an investigation.

© 1998-2020 BetaNews, Inc. All Rights Reserved. Privacy Policy - Cookie Policy.