Yahoo! Timestamps! Now! Block! Facebook! Email! Snoops!

A year later, selfies saved from Purple Palace zombie email accounts

Facebook has begun using a Yahoo! email standard created in August last year to prevent snooping through the acquisition of old addresses.

The standard dubbed dryly Require-Recipient-Valid-Since (RRVS) informs Facebook and others of the last point in time ownership of an email address was known.

Facebook software engineer Murray Kucherawy said it knew it had to 'study closely' last year's Yahoo! dormant email address revival, a move much derided by the security community for the risk of third-party account hijacking through password resets.

"If a Facebook account were connected to a recycled Yahoo email address, that account could be taken over by the new Yahoo account owner via a password change request if no additional protections were in place," Kucherawy said (without adding the exclamation point).

"Working with our counterparts at Yahoo, we quickly proposed and prototyped an enhancement to email that mitigates this problem.

"The enhancement inserts a timestamp within an email message to indicate when we last confirmed the ownership of a Yahoo account. If the account changed hands since our last confirmation, Yahoo can just drop the message, preventing delivery of sensitive messages to the wrong hands."

It was a means of managing recycled email addresses Kucherawy said which was submitted to the Internet Engineering Task Force in August 2013.

Yahoo! inked the now proposed Task Force standard after it copped no shortage of security flak for opening up old accounts without first creating sufficient safeguards. ®


Biting the hand that feeds IT © 1998–2017