Print 5 comment(s) - last by Visual.. on Nov 15 at 2:10 PM

Hackers could take over accounts with only an email address

Skype had a security flaw that allowed hackers to access and control accounts with only the help of an email address. 

The Next Web learned of the security hole and reproduced the attack to see if it worked. The Next Web writer Emil Protalinski used co-worker Josh Ong as a pretend target, where he created a new Skype account with Ong's email address and tied his own to it as well. 

A couple of steps later, Protalinski was able to see both his new username with Ong's email address as well as Ong's original username. More importantly, he received the option to change the password to Ong's account. 

From there, Protalinski changed the password and locked Ong out of his account. He couldn't log back in until given the password by Protalinski.

"The reason this works is simple, but it’s still worrying," wrote Protalinski. "When you use an existing email address to sign up with Skype again, the service emails you a reminder of your username, which is okay, since no one else should have access to your email. Unfortunately, because this method enables you to get a password reset token sent to the Skype app itself, this allows a third party to redeem it and claim ownership of your original username and thus account."

The Next Web contacted Microsoft, which owns Skype, about the vulnerability. Microsoft responded saying that it was conducting an internal investigation. Later, it plugged the security hole and said only a "small number of users" had been affected. 

Here is Microsoft's statement to The Next Web:

Early this morning we were notified of user concerns surrounding the security of the password reset feature on our website. This issue affected some users where multiple Skype accounts were registered to the same email address. We suspended the password reset feature temporarily this morning as a precaution and have made updates to the password reset process today so that it is now working properly.

We are reaching out to a small number of users who may have been impacted to assist as necessary. Skype is committed to providing a safe and secure communications experience to our users and we apologize for the inconvenience.

Source: The Next Web

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

RE: Duh
By Visual on 11/15/2012 2:10:23 PM , Rating: 2
Don't read what something is all about? Check.

All you needed for the hack was the email address associated with a skype account. You did not need the skype account name or pass, and you did not need the email account password (I can only assume this is what you meant in point 2... the alternative is you meanr not to share my *address*, which is just so idiotic I'm not going to discuss it any more).

"Google fired a shot heard 'round the world, and now a second American company has answered the call to defend the rights of the Chinese people." -- Rep. Christopher H. Smith (R-N.J.)

Most Popular ArticlesAre you ready for this ? HyperDrive Aircraft
September 24, 2016, 9:29 AM
Leaked – Samsung S8 is a Dream and a Dream 2
September 25, 2016, 8:00 AM
Inspiron Laptops & 2-in-1 PCs
September 25, 2016, 9:00 AM
Snapchat’s New Sunglasses are a Spectacle – No Pun Intended
September 24, 2016, 9:02 AM
Walmart may get "Robot Shopping Carts?"
September 17, 2016, 6:01 AM

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki