The story of a "hack" or How Yahoo gave me a login and password from someone else's mail

Having forgotten my Yahoo ID, I decided to restore it using SMS identification. And now in 2 minutes I received full access to the mailbox. True, to a completely foreign, I did not belong.

It all started with the fact that I needed Yahoo-mail in order to download photos from the holidays that my friend uploaded to Flickr. Got reluctant to register a new mailbox: I entered the necessary data, including my mobile phone number. And there would not be this article on Habré, if it were not for my girlish memory: a minute after registration I forgot her address.
')
In order not to register a new meil, I decided to restore access to the newly created one. As was suspected, the service suggested that I do this by specifying a mobile phone number. But having entered the number of the Ukrainian life :) operator, which I have been using for 8 years now, I was surprised to find that it is tied to a completely different box, which I definitely did not register. Not yet fully aware of what was happening, I confirmed the entered data and waited for the SMS that was sent to my number without slowing down. And so, in my hands is the full Yahoo ID of someone else's mailbox.



Excitement and interest prevailed over decency, so I decided to go to the end. Having a full Yahoo ID and access to a mobile number (which, according to Yahoo, belongs to the mailbox owner), I easily recovered my password. Thus, for 3 minutes, Yahoo gave me a username and password from an e-mail box that does not belong to me.


After analyzing the content, I came to the conclusion that it has not been used for a long time and is of no value to its owner. Therefore, I dare to suggest that I did not cause significant harm to a person by “hijacking” his box.


The question of how this could happen is open. I have never dealt with Yahoo's mail service before, but I dare to suggest that by specifying a mobile number when registering, the service does not ask you to confirm whether you really own it with an SMS code.

PS: in the title the word "hacking" is not just indicated in quotes. The above is a technical problem rather than a vulnerability that can be exploited. I do not claim the glory of "hacker" and generally far from the topic of IT. But it is striking that a service like Yahoo does not require verification of the number specified during registration. And, on the basis of the above, allows the registration of several boxes on 1 number