Menu
Facebook and Yahoo prevent use of recycled email addresses to hijack accounts

Facebook and Yahoo prevent use of recycled email addresses to hijack accounts

A new mechanism helps email servers determine if a message was intended for a recycled account's previous owner

Facebook and Yahoo have developed a mechanism to prevent the owners of recycled email addresses from hijacking accounts that were registered on other sites using those addresses in the past.

Last year, Yahoo announced a policy that involves deleting inactive email accounts and making their IDs available again for registration. Microsoft has been doing the same with Outlook.com accounts.

The practice of recycling email addresses has been criticized by security and privacy experts because it opens up the door to abuse. Attackers could register deleted addresses and take over accounts on third-party sites that use them for confirming password change requests. In addition, the recycled addresses might continue to receive messages containing sensitive information that is destined for their previous owners.

Facebook's security team studied the impact of email address recycling for the site's users and has worked with Yahoo to mitigate the potential security risks. Employees from the two companies have developed a mechanism that involves adding a new field in the header of sensitive email messages to include the date since the sender has known the recipient's address.

The email provider can check if the receiving account has changed owners since the date specified in this field, and if it has, it can block the message from being delivered because it was likely intended for a previous owner.

The new field is called Require-Recipient-Valid-Since and is defined as part of an extension to the Simple Mail Transfer Protocol (SMTP) called RRVS. For now the mechanism is used by Facebook and Yahoo, but the new SMTP extension was published as a proposed standard by the Internet Engineering Task Force and can be adopted by others as well.


Follow Us

Join the newsletter!

Or
Error: Please check your email address.

Tags securityprivacyMicrosoftFacebookYahooonline safetyAccess control and authenticationIdentity fraud / theft

Featured

Slideshows

Bumper channel crowd kicks off first After Hours of 2018

Bumper channel crowd kicks off first After Hours of 2018

After Hours made a welcome return to the channel social calendar with a bumper crowd of partners, distributors and vendors descending on The Jefferson in Auckland to kick-start 2018. Photos by Gino Demeer.

Bumper channel crowd kicks off first After Hours of 2018
Looking back at the top 15 M&A deals in NZ during 2017

Looking back at the top 15 M&A deals in NZ during 2017

In 2017, merger and acquisitions fever reached new heights in New Zealand, with a host of big name deals dominating the headlines. Reseller News recaps the most important transactions of the Kiwi channel during the past 12 months.

Looking back at the top 15 M&A deals in NZ during 2017
Kiwi channel closes 2017 with After Hours

Kiwi channel closes 2017 with After Hours

The channel in New Zealand came together to celebrate the close of 2017, as the final After Hours played out in front of a bumper Auckland crowd.

Kiwi channel closes 2017 with After Hours
Show Comments