Is Gmail Secure? What About Yahoo Email?
The short answer is yes, both are secure if you are using the SSL/TLS certificate on the HTTP. However, if you are using Yahoo mail, there is a blaring vulnerability in the headers.
When doing a cross comparison between both Gmail and Yahoo email accounts, I noticed that Gmail completely masks the originating sender’s IP address entirely and everything is encrypted of course.
When testing Yahoo’s email (using a friends account of course), I was easily able to extract the sender’s IPv4 address from the mail headers of the actual original senders HOME public IP address. I then used this information to intensely scan the sender’s home network and discover weaknesses in their LAN (typical COX router/modem combo unit and various IoT clients connected, and WPS on and open, of course, would you expect anything less? Oh and the best part is that the IoT devices were not secured, and he was using WPA, TKIP)
How can this be used by bad actors?
Anyone in information security will know the potential harm that could come from scanning networks for vulernabilities. It is done all the time, most routers come with built in standard firewalls that generally protect against auto scans on the Internet.
However, when someone really wants to target a victim and they have their IP and network location, it makes it a little easier for the bad actor when they can discover what devices and services are running your the victim’s LAN.
The problem from this scenario, is that there are millions of home routers and IoT devices now and most people do not have the technical skills to harden their networks at home as they become more and more complex. Breached networks and routers often leads to identity theft as the main goal of the bad actor is to acquire financial details about the victim to sell on the black markets, in which someone will eventually use, causing a problem for the victim that could financially ruin them or their credit.
…and it all started with one tiny vulnerability in a Yahoo email header.
If you are using free emails, use Gmail, it is a little more secure and Google hashes everything.
Dana Onyshko | email@example.com
See technical details