Skype vulnerability makes hijack child’s play.

A serious vulnerability in Skype has come to light. This vulnerability allowed you to take over the Skype account of any other user, armed only with knowledge of their e-mail address.

Proof of concept for the issue was posted in a Russian forum about three months ago and the original poster posted again on a different site just yesterday that the vulnerability was still not fixed. The author also notes that abuse of the vulnerability has been widespread, affecting many users from his own contact list.

In essence the procedure is so simple it could be carried out by even the most inexperienced of computer users. All that was necessary was to create a new Skype ID, and associate it with the email address of your victim. Once this procedure is complete, a flaw in the password reset procedure allowed the attacker to assume control over the victim account by using the online password reset form. This would lock the victim out of their Skype account and allow the hacker to receive and respond to all messages destined for that victim until further notice. I tested the vulnerability and the entire process took only a matter of minutes.

The issue has been reported to Microsoft (who acquired Skype last year) and as a precautionary measure they have simply removed the online password reset page while the underlying flaw is investigated.

Before the access to reset passwords was disabled, the only way to protect yourself was to register an entirely separate and secret e-mail address for use with your Skype account. This is not only security by obscurity, it could theoretically leave you more open to attacks as you are less likely to investigate regularly the inbox of such little-used addresses.

Moral of the story? Even information which you are used to handing out to anyone can be used against you, there is no such thing as too much privacy.
Image Credit: dingler1109 Flickr used under Creative Commons.

12 thoughts on “Skype vulnerability makes hijack child’s play.

  1. Pingback: Skype出現帳號大漏洞!連小孩都能駭入帳號 | 雲端運算與網路安全趨勢部落格

  2. Pingback: Skype desactiva la opción de restablecer contraseñas tras su … ‹ Poza Rica Net – El portal de Poza Rica en internet

  3. Pingback: Χάκινγκ λογαριασμών στο Skype, χωρίς γνώσεις χάκερ, έρχεται στο φως | IT Concept S.A.

  4. Pingback: Microsoft Skype – Security update to prevent account hijacking – Security Protection – Harry Waldron (WP)

  5. Pingback: gymltmetax's blog » Blog Archive » Χάκινγκ λογαριασμών στο Skype, χωρίς γνώσεις χάκερ, έρχεται στο φως

  6. Pingback: Skype desactiva la opción de restablecer contraseñas tras su …

  7. Pingback: Skype Deals With Account Hijacking Exploit | Exploit Archive

  8. Pingback: ste williams » Skype fixes flaw that let anyone with your email address hijack you

  9. james

    I’d love to hear your stories on the many Apple vulnerabilities that everyone seems to skate over. Really, the most vulnerable software out there. Had nothing but problems with App OS despite assertions that (ridiculously) OS doesn’t get viruses.

    Reply
  10. Pingback: Skype disables password reset after security flaw exposed » Nottingham PC Repair

  11. Pingback: Skype disables password reset after security flaw exposed - IT Lounge

  12. Pingback: ste williams » Skype IDs hijackable by ANY FOOL who knows your email address

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>