How Facebook Protected Users with Dormant Yahoo Email Accounts

When Yahoo announced last year that it would allow user names that had been inactive to be claimed by new users, how did Facebook ensure that accounts on the social network that were tied to recycled Yahoo email addresses remained secure? Software engineer Murray Kucherawy detailed the process in a note on the Protect the Graph page.

YahooLogo650When Yahoo announced last year that it would allow user names that had been inactive to be claimed by new users, how did Facebook ensure that accounts on the social network that were tied to recycled Yahoo email addresses remained secure? Software engineer Murray Kucherawy detailed the process in a note on the Protect the Graph page.

Kucherawy wrote:

Our priority when working with partners and other companies is to ensure that Facebook accounts — which are connected to various email services, and can be extended via Facebook Login to other sites — are not only kept safe and secure, but also work together seamlessly. The Facebook ecosystem is large, and keeping your information safe is core to everything we do.

For example, last year, Yahoo announced that it was going to begin making long-dormant logins available for new registrations. This was a shift we knew we wanted to study closely to make sure we understood the impact to Facebook. If a Facebook account were connected to a recycled Yahoo email address, then that account could be taken over by the new Yahoo account owner via a password-change request if no additional protections were in place.

Working with our counterparts at Yahoo, we quickly proposed and prototyped an enhancement to email that addresses this problem. The enhancement inserts a timestamp within an email message to indicate when we last confirmed the ownership of a Yahoo account. If the account changed hands since our last confirmation, Yahoo can just drop the message, preventing delivery of sensitive messages to the wrong hands.

This new method for handling recycled email addresses is a new standard, called RRVS (Require-Recipient-Valid-Since), and it provides a way for senders to indicate to receivers a point in time when the ownership of the target mailbox was known to the sender.

To help other operators solve this problem and protect their own accounts, we documented our extension via the Internet Engineering Task Force, and the mechanism recently became a proposed standard. You can find it at http://tools.ietf.org/html/rfc7293.

Readers: How active is the email address you registered your Facebook account under?