Facebook reveals patch in response to Yahoo's account recycling program

Turns out there was a bit of a vulnerability (and lack of communication) between Yahoo and Facebook. Whoops!

Remember when Yahoo announced it was going to recycling dormant accounts and freeing up those username possibilities to generate activity and attention?

Well, according to Facebook's security team, the social network discovered if a person’s account were connected to a recycled Yahoo email address, that account could be taken over (and potentially compromised) by the new Yahoo account owner -- all through a simple password change request. Whoops!

Despite the obvious communication gap, things appear to be back on track between these two.

Facebook and Yahoo collaborated and developed what they are touting as a new "industry standard" security precaution promising to keep both these recycled email addresses on Yahoo as well as Facebook passwords secure.

Facebook engineers explained in a blog post on Thursday how they have been working with the Yahoo Messenger team to patch up the problem.

Dubbed Require-Recipient-Valid-Since (or RRVS, for short), the protocol was set up to pinpoint ownership of a given mailbox based on time stamps. Here's how:

The enhancement inserts a timestamp within an email message to indicate when we last confirmed the ownership of a Yahoo account. If the account changed hands since our last confirmation, Yahoo can just drop the message, preventing delivery of sensitive messages to the wrong hands.

Facebook appears confident that this should alleviate any worries, so much so that it has submitted the development to the Internet Engineering Task Force and has since been labeled as a Proposed Standard.

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All