Yandex.Mail - “secret question” is not an obstacle for us
The topic will be about one small vulnerability of Yandex.Mail, which nevertheless negates all the protective functions of the “secret question”.
In a nutshell: knowing the account password you can easily hijack it from the user, corny deleting and reregistering.
And so - there is an account on Yandex from which the password was dragged off. Happily rubbing the sweaty little hands, we go into the mail - settings - change the password. Done, the password has been changed. Like advanced coochackers, we also find a point next to it where you can delete the contact email addresses entered by the host. You can even add your own if desired, no problem.
So, everything seems to be, the owner now has to either forget about the acc or try to restore it through technical support. Just in case, we still try to poke the “remember password” item on the main page. Opanki!
')
Attempts to change a secret question come across the requirement to enter the current answer.
“Heh!” Said the harsh Siberian lumberjacks.
We do not give up immediately and even a little bit of climbing in the settings we find one interesting item (in order for us not to miss it, Yandex even specifically highlighted it in red).
Click on it. Just a password is enough. Removal occurs instantly. Register again with the same login. It turned out, it works.
I tried to do the same thing on gmail.com - it is deleted instantly, a password is enough, the only difference is that it is not possible to register under this name again.
In a nutshell: knowing the account password you can easily hijack it from the user, corny deleting and reregistering.
And so - there is an account on Yandex from which the password was dragged off. Happily rubbing the sweaty little hands, we go into the mail - settings - change the password. Done, the password has been changed. Like advanced coochackers, we also find a point next to it where you can delete the contact email addresses entered by the host. You can even add your own if desired, no problem.
So, everything seems to be, the owner now has to either forget about the acc or try to restore it through technical support. Just in case, we still try to poke the “remember password” item on the main page. Opanki!
')
Attempts to change a secret question come across the requirement to enter the current answer.
“Heh!” Said the harsh Siberian lumberjacks.
We do not give up immediately and even a little bit of climbing in the settings we find one interesting item (in order for us not to miss it, Yandex even specifically highlighted it in red).
Click on it. Just a password is enough. Removal occurs instantly. Register again with the same login. It turned out, it works.
I tried to do the same thing on gmail.com - it is deleted instantly, a password is enough, the only difference is that it is not possible to register under this name again.
Source: https://habr.com/ru/post/87391/
All Articles