Skype Fixes Flaw Allowing Easy Account Hijack
Skype has fixed a flaw that allowed a hacker to hijack legitimate accounts using only the account owner's email address. The issue was a hole in the process for resetting a user's password, said Brian Laing, director of U.S. marketing and products at AhnLab. "This is something Skype should not have allowed."
Nov 15, 2012 11:03 AM PT
Skype on Wednesday fixed a vulnerability that allowed users' accounts to be hijacked using the password reset process.
The vulnerability was published two months ago on the Russian site Xeksec.
Skype has fixed the problem by updating the password reset process.
How the Hack Worked
To exploit the vulnerability, all a hacker needed to know a victim's email address. By entering that address on Skype's sign-in page, hackers would receive a warning that an account with that email address already exists.
The hacker could then create a new Skype account tied to another email address and Skype would email a reminder of the original username associated with that account. It would also send a password reset token that could be used to freeze out the actual owner of the Skype account.
From there, the hacker could run the Skype application with the new credentials.
The vulnerability has been publicized on several Russian forums and blogs, and was being actively exploited in the wild, Kaspersky Labs said.
Who Got Hit
The vulnerability affected some users with multiple Skype accounts registered to the same email address.
Skype suspended the password reset feature temporarily on Wednesday morning prior to updating the process and is reaching out to a small number of users who may have been impacted.
Skype declined to provide further details.
The Skype vulnerability is an example of a flaw that emerges "due to inherent logic issues in the overall system, which do not typically require any custom code to exploit," said Brian Laing, director of U.S. marketing and products at AhnLab.
"Given that this is a process issue, the coding change to resolve [it] should be relatively quick and easy for them to do and should not require that they change anything in the client," Laing told TechNewsWorld. "Unless someone mistakenly changes something on the back end, it should be a permanent fix."
Although logic problems "can often be the hardest for people to find, especially if the development team does not have a security mindset driving some of their testing and architecture, this is something [Skype] should not have allowed," Laing stated. "If [Skype] knew about it before, they should have addressed it immediately."
It's standard practice that, for password resets, an email is sent to the email address, Laing pointed out. "Additionally, many services require an acknowledgement email sent to the email address used to set up an account. The fact that [Skype] don't require this broadly adopted standard shows that some of their security is not adequate."
Skype and Microsoft
Whether this latest vulnerability will impact Microsoft's plans to replace Windows Live Messenger with Skype remains to be seen.
"My guess is that this [vulnerability] won't impact [Microsoft's plans] at all," Laing said. "IM client use tends to be dictated by your social group more than any product choice."
Microsoft declined to provide further details.