The Wayback Machine - https://web.archive.org/web/20171018183057/https://www.geek.com/geek-pick/skype-accounts-can-be-hacked-with-an-email-address-1528410/
Geek Pick

Skype accounts can be hacked with an email address

By 11.14.2012 :: 4:26AM EDT 11.14.2012

This site may earn affiliate commissions from the links on this page. Terms of use.

A vulnerability has been made public today that allows anyone to gain control over a Skype account. All you need is the email address of the account and within a few minutes you can lock the real user out and use it as your own.

The Skype account hack can be completed in 6 very simple steps, but why is this possible without ever knowing the Skype user’s password? It simply comes down to the way in which Skype, and therefore Microsoft, handles resetting a forgotten password for the service.

Typically, in order to reset a password a service contacts the user through their email address. As the user is the only person who should have access to their mailbox this is a relatively safe way to allow a password reset. However, Skype breaks this rule by allowing a password reset directly in the Skype app and through a web browser.

What an attacker can do is register a dummy Skype account using the same email address as the person they want to steal an account from. Once registered, a password reset can be requested by the attacker for their dummy account. However, as there is more than one Skype name associated with the email address, the password reset process allows the selection of either name for a password reset.

It’s at that point the security fails as the attacker can reset the other user’s password, and as the other user’s Skype name was listed as part of the reset process, they now have the complete login credentials for that account. The real user is left scratching their head as the next time they try to login their password will be rejected.

Microsoft is aware of the vulnerability, but has been for around 3 months without a fix being issued. Hopefully, now it has been made public the Skype team will react quickly.

If you want to ensure your Skype account is safe until then, the only thing you can do is change the email address to something nobody knows.

Update: Skype has issued the following statement regarding the vulnerability:

“We have had reports of a new security vulnerability issue. As a precautionary step we have temporarily disabled password reset as we continue to investigate the issue further. We apologise for the inconvenience but user experience and safety is our first priority.”

via TNW

  • Hodar

    3 Months?!! And no activity? I guess maybe the standard practice for any MSFT vulnerability should be a YouTube video. MSFT doesn’t seem to care about a security system until everyone knows. One would THINK that a vulnerability as wide open as this would have been shut down within hours, if not days of being reported.
    Certainly some internal MSFT testing should have alerted them to this vulnerability before it was even released. Pathetic.

  • typical don’t give a crap Gates just keep on suckering them in God Bless Linux

  • NitzMan

    This has been around for a long time before Skype became a Microsoft asset. The fact that Microsoft owns the company doesn’t mean that they’re totally responsible for maintaining the software. This is a vulnerability that should have been addressed by Skype developers.

  • NitzMan

    Bill Gates hasn’t worked at Microsoft for more than a decade. God is a fictional character and so is the superior security of Linux.