Print 5 comment(s) - last by Visual.. on Nov 15 at 2:10 PM

Hackers could take over accounts with only an email address

Skype had a security flaw that allowed hackers to access and control accounts with only the help of an email address. 

The Next Web learned of the security hole and reproduced the attack to see if it worked. The Next Web writer Emil Protalinski used co-worker Josh Ong as a pretend target, where he created a new Skype account with Ong's email address and tied his own to it as well. 

A couple of steps later, Protalinski was able to see both his new username with Ong's email address as well as Ong's original username. More importantly, he received the option to change the password to Ong's account. 

From there, Protalinski changed the password and locked Ong out of his account. He couldn't log back in until given the password by Protalinski.

"The reason this works is simple, but it’s still worrying," wrote Protalinski. "When you use an existing email address to sign up with Skype again, the service emails you a reminder of your username, which is okay, since no one else should have access to your email. Unfortunately, because this method enables you to get a password reset token sent to the Skype app itself, this allows a third party to redeem it and claim ownership of your original username and thus account."

The Next Web contacted Microsoft, which owns Skype, about the vulnerability. Microsoft responded saying that it was conducting an internal investigation. Later, it plugged the security hole and said only a "small number of users" had been affected. 

Here is Microsoft's statement to The Next Web:

Early this morning we were notified of user concerns surrounding the security of the password reset feature on our website. This issue affected some users where multiple Skype accounts were registered to the same email address. We suspended the password reset feature temporarily this morning as a precaution and have made updates to the password reset process today so that it is now working properly.

We are reaching out to a small number of users who may have been impacted to assist as necessary. Skype is committed to providing a safe and secure communications experience to our users and we apologize for the inconvenience.

Source: The Next Web

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

By Master Kenobi on 11/14/2012 4:24:43 PM , Rating: 4
Don't share your skype account with others? Check.
Don't share your email accoutn with others? Check.

Nothing to see here folks.

RE: Duh
By stm1185 on 11/14/2012 4:45:37 PM , Rating: 2
Now can they fix people grabbing your IP off it to DDOS you.

RE: Duh
By kleinma on 11/14/2012 5:20:49 PM , Rating: 3
I've never heard of this. Have any links?

I would have to imagine if it was ever an issue, it isn't one now that skype has been moved to the MS live messenger back end, and super nodes are no longer.

RE: Duh
By Visual on 11/15/2012 2:10:23 PM , Rating: 2
Don't read what something is all about? Check.

All you needed for the hack was the email address associated with a skype account. You did not need the skype account name or pass, and you did not need the email account password (I can only assume this is what you meant in point 2... the alternative is you meanr not to share my *address*, which is just so idiotic I'm not going to discuss it any more).

"If you can find a PS3 anywhere in North America that's been on shelves for more than five minutes, I'll give you 1,200 bucks for it." -- SCEA President Jack Tretton

Most Popular Articles5 Cases for iPhone 7 and 7 iPhone Plus
September 18, 2016, 10:08 AM
Automaker Porsche may expand range of Panamera Coupe design.
September 18, 2016, 11:00 AM
Walmart may get "Robot Shopping Carts?"
September 17, 2016, 6:01 AM
No More Turtlenecks - Try Snakables
September 19, 2016, 7:44 AM
ADHD Diagnosis and Treatment in Children: Problem or Paranoia?
September 19, 2016, 5:30 AM

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki