No One Can Afford an Attack - Find the best Cybersecurity Pros to Protect Your Business Data
Welcome Guest | Sign In

Skype Fixes Flaw Allowing Easy Account Hijack

By Richard Adhikari
Nov 15, 2012 11:03 AM PT

Skype on Wednesday fixed a vulnerability that allowed users' accounts to be hijacked using the password reset process.

Skype Fixes Flaw Allowing Easy Account Hijack

The vulnerability was published two months ago on the Russian site Xeksec.

Skype has fixed the problem by updating the password reset process.

How the Hack Worked

To exploit the vulnerability, all a hacker needed to know a victim's email address. By entering that address on Skype's sign-in page, hackers would receive a warning that an account with that email address already exists.

The hacker could then create a new Skype account tied to another email address and Skype would email a reminder of the original username associated with that account. It would also send a password reset token that could be used to freeze out the actual owner of the Skype account.

From there, the hacker could run the Skype application with the new credentials.

The vulnerability has been publicized on several Russian forums and blogs, and was being actively exploited in the wild, Kaspersky Labs said.

Who Got Hit

The vulnerability affected some users with multiple Skype accounts registered to the same email address.

Skype suspended the password reset feature temporarily on Wednesday morning prior to updating the process and is reaching out to a small number of users who may have been impacted.

Skype declined to provide further details.

Logic Problems

The Skype vulnerability is an example of a flaw that emerges "due to inherent logic issues in the overall system, which do not typically require any custom code to exploit," said Brian Laing, director of U.S. marketing and products at AhnLab.

"Given that this is a process issue, the coding change to resolve [it] should be relatively quick and easy for them to do and should not require that they change anything in the client," Laing told TechNewsWorld. "Unless someone mistakenly changes something on the back end, it should be a permanent fix."

Although logic problems "can often be the hardest for people to find, especially if the development team does not have a security mindset driving some of their testing and architecture, this is something [Skype] should not have allowed," Laing stated. "If [Skype] knew about it before, they should have addressed it immediately."

It's standard practice that, for password resets, an email is sent to the email address, Laing pointed out. "Additionally, many services require an acknowledgement email sent to the email address used to set up an account. The fact that [Skype] don't require this broadly adopted standard shows that some of their security is not adequate."

Skype and Microsoft

Whether this latest vulnerability will impact Microsoft's plans to replace Windows Live Messenger with Skype remains to be seen.

"My guess is that this [vulnerability] won't impact [Microsoft's plans] at all," Laing said. "IM client use tends to be dictated by your social group more than any product choice."

Microsoft declined to provide further details.

Facebook Twitter LinkedIn Google+ RSS
What should be done about UFOs?
World governments should cooperate to address a potential planetary threat.
The DoD should investigate -- they could signal a hostile nation's tech advances.
The government should reveal what it already knows.
The government probably has good reasons for secrecy and should be trusted on this.
Wealthy corporate space-age visionaries should take the lead.
Nothing. Studying UFOs is a waste of resources.
Keep the stories coming. People love conspiracy theories, and it's fun to speculate.