Page 1 of 5 123 ... LastLast
Results 1 to 10 of 43

Thread: Palin Email Hack Was "Easy"

  1. #1
    Senior Member phernandez's Avatar
    Join Date
    Aug 2003
    Location
    NYC
    Posts
    246

    Palin Email Hack Was "Easy"

    Hacking Sarah Palin's Yahoo mail account was easy, exposes shortcomings in password recovery mechanisms.

    Attacker: Hacking Sarah Palin’s email was easy - Zero Day Blog, ZDNet.com

    ...after the password recovery was reenabled, it took seriously 45 mins on wikipedia and google to find the info, Birthday? 15 seconds on wikipedia, zip code? well she had always been from wasilla, and it only has 2 zip codes (thanks online postal service!) the second was somewhat harder, the question was “where did you meet your spouse?” did some research, and apparently she had eloped with mister palin after college...
    I guess it pays to be fairly "anonymous" lest your personal history is online for all to see.

  2. #2
    Some Assembly Required ShagDevil's Avatar
    Join Date
    Nov 2002
    Location
    SC
    Posts
    718
    Sadly, Yahoo just headlined this exact exploit not too long ago. It makes me wonder if this guy knew of the exploit, or learned of it through the story Yahoo ran.
    The object of war is not to die for your country but to make the other bastard die for his - George Patton

  3. #3
    Senior Member
    Join Date
    Oct 2003
    Location
    MA
    Posts
    1,052
    From what I heard it wasnt really an exploit, he just reset the password using the information necessary for the "forgot password" function to be run. Since she is so well known it was easy to find her info.

  4. #4
    Gonzo District BOFH westin's Avatar
    Join Date
    Jan 2006
    Location
    SW MO
    Posts
    1,187
    I agree with oofki. This is nothing new. I changed my wife's password while we were still dating as a joke. [I changed it to westinkicks***]

    This isn't a security hole... it's a feature :P
    \"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"

    -HST

  5. #5
    Some Assembly Required ShagDevil's Avatar
    Join Date
    Nov 2002
    Location
    SC
    Posts
    718
    From what I heard it wasnt really an exploit
    I think you & I differ on what we consider an exploit.

    he just reset the password using the information necessary for the "forgot password" function to be run
    Right. That's what was headlined on Yahoo not too long ago. I'm just curious if this guy learned of it from the story, or knew of it for some time and just decided to recently use the technique.

    The timing of the event seemed to coincide with the Yahoo's story that was ran recently. This is more of a "Is there such a thing as too much public knowledge" inquiry.
    The object of war is not to die for your country but to make the other bastard die for his - George Patton

  6. #6
    Senior Member JPnyc's Avatar
    Join Date
    Jan 2005
    Posts
    2,734
    I would consider an exploit to be anything which allows a system to be used for something other than its intended purpose.

  7. #7
    Some Assembly Required ShagDevil's Avatar
    Join Date
    Nov 2002
    Location
    SC
    Posts
    718
    I'd guess most people are of the mindset that an exploit is a flaw in program design. And it makes sense because, that's what most design flaws are called these days. I happen to see it as something that can be manipulated for selfish and/or malicious purposes.

    That should clear it up a bit (I hope!)
    The object of war is not to die for your country but to make the other bastard die for his - George Patton

  8. #8
    Senior Member Ouroboros's Avatar
    Join Date
    Nov 2001
    Location
    Superior, WI USA
    Posts
    636
    "Hacking is supposed to be about intellectual exploration, so resetting the password of someone’s Yahoo mailbox no matter if it’s the Pope, requires no more than two brain cells put into action."

    O
    Last edited by Ouroboros; September 23rd, 2008 at 06:22 AM.
    "entia non sunt multiplicanda praeter necessitatem"

    "entities should not be multiplied beyond necessity."

    -Occam's Razor


  9. #9
    Senior Member t34b4g5's Avatar
    Join Date
    Sep 2003
    Location
    Australia.
    Posts
    2,391
    It's not an exploit, he just happened to realise that if you can find someone famous enough and find out if they happen to have a free email addresse, Yahoo, Hotmail or Gmail for instance.
    Then most likely they have been ignorant enough to actually use real details for there sign up questions.

    This could of happened at any time, it's just that after the story about how you can just do this and this to find out famous people's details, and find out if they have a free email adresse, that you can try to use available information related to this person to see if they were ignorant enough to use the details in there signup questions.

    This skiddie is just trying to get some street cred. He just went about boasting about it the wrong way. And if he really knew or had an idea on how to properly cover himself he wouldn't have used a http proxy that so many site's offer these days.
    Dir of course the fed's will get a warrant and make the dude running the site offering proxy use to hand over logs for such and such date at such and such time.

  10. #10
    Some Assembly Required ShagDevil's Avatar
    Join Date
    Nov 2002
    Location
    SC
    Posts
    718
    It's not an exploit
    ...speculation by computer security experts who said Yahoo's "forgot-my-password" service almost certainly was exploited
    I'm not really looking to debate semantics. Whatever it is, it's not relevant to answering my question.

    This could of happened at any time
    But, it happened about a week after Yahoo ran the story. I'm curious if this knowledge was gained simply by going to Yahoo and reading an article. That's all I'm really interested in.

    Ouroboros,
    Yeah, they throw around the term "hacker" in these articles with almost no regard.
    The object of war is not to die for your country but to make the other bastard die for his - George Patton

Similar Threads

  1. how to finger a user via telnet
    By ai0070 in forum Miscellaneous Security Discussions
    Replies: 6
    Last Post: October 18th, 2004, 11:21 PM
  2. HowTo Interpret Email Headers
    By ShagDevil in forum Other Tutorials Forum
    Replies: 0
    Last Post: June 13th, 2004, 05:46 PM
  3. Chapter 2 - Newbie Questions Answered
    By uraloony in forum The Security Tutorials Forum
    Replies: 6
    Last Post: December 24th, 2003, 02:41 AM
  4. hehe...for those who hate AO newbies...
    By zigar in forum AntiOnline's General Chit Chat
    Replies: 10
    Last Post: February 22nd, 2002, 02:24 PM
  5. How to read email header
    By rajat in forum Roll Call
    Replies: 0
    Last Post: February 20th, 2002, 05:08 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •