You may or may not agree with Yahoo agreeing to a US government request to scan every incoming email to search for specific information of interest to the NSA or FBI, and it’s failure to put up a fight, but you should surely be concerned that the initiative was apparently undertaken without consulting with Yahoo’s own security team.
And, according to a report in The Intercept, the snooping code was implemented in such a way that it could have allowed a hacker to “basically read everyone’s Yahoo mail”:
Alex Stamos, Yahoo’s former information security chief who Reuters reported left the company after finding out about its cooperation with the U.S. government’s scanning mandate, is said to have taken particular issue with how poorly the scanning tool was installed. “He was especially offended that he was not looped in on the decision,” said the ex-Yahoo source. “The program that was installed for interception was very carelessly implemented, in a way that if someone like an outside hacker got control of it, they could have basically read everyone’s Yahoo mail,” something the source attributed to “the fact that it was installed without any security review.”
“Standard protocol on the security team,” the ex-Yahoo source explained, “is to open a security issue and assign it to the team responsible for that component, in this case Mail, saying you have to fix this within 24-48 hours,” due to its severity. “At that point [Yahoo Mail] would have had to explain to [them] why they didn’t have to fix this, which was because they had installed it.” But the source says that after the security team raised an alarm over the email scanning, still thinking it was the work of an outside hacker and not their coworkers, the complaint suddenly went missing from Yahoo’s internal tracker: “I looked for the issue and I couldn’t find it,” said the Yahoo alum. “I assume it was deleted.”
If we’re to believe the media reports, Yahoo CEO Marissa Mayer green lit the surveillance without consulting her security team, and – from the sound of things – there was an attempt to keep the company’s security experts out of the loop even after they uncovered the suspicious code.
Is it any wonder that Alex Stamos quit?
Like I said, it’s high time you closed your Yahoo account.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.