Security Experts:

Connect with us

Hi, what are you looking for?


Email Security

Yahoo! Doesn’t Revoke iOS Mail Access After Password Change

Users resetting their Yahoo! passwords might also want to check the list of authorized apps and devices, because iOS Mail will continue to have access to the account even after a password reset, researchers discovered.

Users resetting their Yahoo! passwords might also want to check the list of authorized apps and devices, because iOS Mail will continue to have access to the account even after a password reset, researchers discovered.

Last week, Yahoo! confirmed that 500 million accounts were impacted in a security attack dating back to 2014, and also prompted users to reset their passwords to ensure that the attackers can’t access their accounts. The company said at the time that the attack was state-sponsored, but researchers believe that the data is in the hands of cybercriminals who already monetized it.

Users possibly impacted by the data breach were prompted to change their Yahoo! passwords, but Zero Day Initiative (ZDI) researcher Simon Zuckerbraun has discovered that this action isn’t enough to secure a compromised account. After resetting his password when notified, he discovered that the iOS Mail app on his iPhone, which had been configured for Yahoo! mail, was still connected to the account and could access its content.

The problem, Trend Micro explains, is that Yahoo! had issued a permanent credential to the device, one that wasn’t revoked upon password reset. Thus, the application continued to be authorized, even if it wasn’t supposed to be.

“In other words, if someone already obtained access to your account and configured the iOS Mail app to use it, they would still have access to the account even after the password changes. What’s worse is that you would likely not even realize someone still has access to your email,” Trend Micro says.

While that is concerning, any “new” attacks from other devices or remote webmail logins using the old credentials would not work.

Another issue is that Yahoo! hasn’t informed users that, after changing their passwords, they should take additional steps to secure their accounts. “This could lead to a situation where millions believe they are protected even though they aren’t,” Trend Micro notes.

What’s more, the “Account Security” tab in one’s Yahoo! account isn’t of much help in such situation, and the “Recent Activity” tab is what users should be looking at. There, they will see all the applications connected to the account and also have the option to remove them.

“Looking at the phone settings is of little help. Looking at the setting shows there is no option via the app to change the password. This is likely by design. When you set up your mail account on the device, it gets permanently credentialed until the credential is revoked through the server,” Trend Micro reveals.

Yahoo! users who recently changed their passwords are advised to check the associated applications and devices as well, and to remove those that look suspicious. Moreover, they should enable two-factor authentication (2FA) or use Yahoo’s Account Key to make it more difficult for attackers to access the account in the event of a password compromise.

By taking additional steps to secure an account after a breach notification, users can prevent further account damage. Although it’s unclear whether the attackers will be able to decrypt the stolen Yahoo! passwords or not, users will be likely less impacted if they change their password and review the associated devices, researchers say.

Related: Users File Lawsuit Against Yahoo Over Data Breach

Related: Google to Revoke OAuth 2.0 Tokens Upon Password Reset

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Identity & Access

Strata Identity has raised $26 million in a Series B funding round led by Telstra Ventures, with additional investment from Forgepoint Capital, Innovating Capital,...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Application Security

Google’s Threat Analysis Group (TAG) has shared technical details on an Internet Explorer zero-day vulnerability exploited in attacks by North Korean hacking group APT37.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cybersecurity Funding

UK-based email security and brand protection solutions provider Red Sift on Thursday announced raising $54 million in a Series B funding round that brings...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...