13:04 Yandex breakmail | |
Was always confident in the security post on Yandex. Yesterday, however, stumbled on one hell of a nasty feature that makes it quite easy to get access to some mailboxes. To me, accustomed standard scheme - when registering the mailbox, I show the other to your mailbox, so if I forget the password, then after a secret question password recovery code to throw me to the box. So it was always such a scheme is used practically everywhere. So - now it is not SO! Yandex to reset your password using your mobile phone! Here is the registration form from a mailbox: You can argue how much safer place to recover your password via SMS. On the one hand it involves a process of restoration of the user, on the other hand trying to steal someone else's mailbox cracker is very clear about what he wanted and still get access to a particular cell phone. Sometimes it's easier than to find a hidden email address to send the code to follow. However, the problem in another - in the habits of Internet users. Recently I registered for my friend's mailbox - another look at the form, which fields will fill in an experienced internet user? Will he read the comments written by a gray background? You certainly can call me an idiot, but I'm on the machine created a password, secret question and asked the e-mail for communication. I did not ask the mobile phone, because the field is marked optional (!) And I used the optional fields do not fill out personal information - and do not say that I'm the only one. Of course my friend the next day forgot my password from the mail and when I decided to use the recovery modes. It turned out that it is sufficient to answer the security question, and Yandex then offer to send an SMS with the recovery code any (!) Mobile number, as when registering the phone has not been specified! Although in my opinion, the correct behavior in this case - sending code at registration and postal address. And now the most important: Earlier on Yandex accounts could not ask the phone! That means you can be sure that most email accounts phone is not set until now! Means for breaking the box to answer the security question, what do you think what is it? I would like to know the statistics Yandex, but I'm sure that a huge proportion of cases, security question - Mother's maiden name. " Believe me, this is not the kind of information that is hard to find when trying to hack the box a particular person | |
|
Total comments: 0 | |