Skype fixes account hijacking vulnerability

JMH

Emeritus, Contributor
Joined
Apr 2, 2012
Posts
7,197
Summary: Skype has fixed a severe vulnerability that made it possible to hijack a Skype account using only the email address associated with it.

Skype has fixed an exploit that made it possible to take over Skype accounts.

The vulnerability was revealed on a blog on Wednesday and let anyone take over a Skype account as long as they knew its email address.

"The only thing you need to obtain full access to any Skype account is primary email of that account (the email which used when the skype account been registered)," a post which appeared on the pixus.ru blog on Wednesday morning said. The post detailed the fault and gave step-by-step instructions for using the exploit.

The exploit involves six steps and gave people the ability to login to accounts that were not theirs, then change the password - enabling them to hijack the account.

"Early this morning we were notified of user concerns surrounding the security of the password reset feature on our website. This issue affected some users where multiple Skype accounts were registered to the same email address," Skype said in a statement."We suspended the password reset feature temporarily this morning as a precaution and have made updates to the password reset process today so that it is now working properly."
http://www.zdnet.com/skype-fixes-account-hijacking-vulnerability-7000007409/
 
Skype IDs hijackable by ANY FOOL who knows your email address

A vulnerability in Skype allows anyone to hijack its users' accounts just by knowing or guessing a punter's registered email address.

The embarrassing security hole, which is trivial to abuse, was first discussed on a Russian underground forum three months ago. Last night a Russian blog publicised the bug, and details of the flaw circulated the internet. The hijack is triggered by signing up for a new Skype account using the email address of another registered user. No access to the victim's inbox is required; one just simply needs to know the address.

Creating an account this way generates a warning that the email address is already associated with another user, but crucially the voice-chat website does not prevent the opening of the new account. From there it's possible to log into the service and request a new password for the victim's account: a security token is sent to the attacker's Skype app allowing the login credential to be reset.
http://www.theregister.co.uk/2012/11/14/skype_disables_password_reset_bug/
 

Has Sysnative Forums helped you? Please consider donating to help us support the site!

Back
Top