How Facebook prevents account hijacking when old email addresses are recycled
Remember when last summer Yahoo announced they will recycle inactive accounts and offer them to other users? The scheme was more or less successful.
Some measures that Yahoo implemented to prevent new owners from being barraged by unwanted emails aimed at previous owners were better than others. Also, Yahoo worked hard to coordinate with online services and companies the implementation a “Require-Recipient-Valid-Since” (RRVS) header that would prevent password reset emails to be delivered to the new owners.
“If a Facebook user with a Yahoo! email account submits a request to reset their password, Facebook would add the Require-Recipient-Valid-Since header to the reset email, and the new header would signal to Yahoo! to check the age of the account before delivering the mail,” Yahoo’s Bill Mills explained the process at the time.
“Facebook users typically confirm their email when they sign up for the service or add new emails to their account, and if the ‘last confirmed’ date that Facebook specifies in the Require-Recipient-Valid-Since header is before the date of the new Yahoo! username ownership, then the email will not be delivered and will instead bounce back to Facebook, who will then contact the user by other means.”
Facebook – always on the lookout for solutions that can keep or make their users’ account more secure – did implement this Simple Mail Transfer Protocol (SMTP) extension, as noted on Thursday by Murray Kucherawy, a software engineer at Facebook.
“The enhancement inserts a timestamp within an email message to indicate when we last confirmed the ownership of a Yahoo account. If the account changed hands since our last confirmation, Yahoo can just drop the message, preventing delivery of sensitive messages to the wrong hands,” he pointed out.
Generally, email service providers that choose to recycle inactive accounts would do well to implement this standard.
“To help other operators solve this problem and protect their own accounts, we documented our extension via the Internet Engineering Task Force, and the mechanism recently became a Proposed Standard,” Kucherawy concluded.