Security hole enables Skype account hijacks
(UPDATE 2) MANILA, Philippines - Skype users may want to consider watching their account and the Skype security blog over the next day or two. The Next Web reports that a security hole makes Skype accounts vulnerable to hijacking.
The security hole allows unauthorized users with knowledge of your Skype-connected email address to change the password on your Skype account, thus gaining control of it.
The hole was first posted on a Russian forum two months ago, and has been verified by The Next Web.
Details of how the security hole works have not been made public, so as to prevent its spread. The Next Web has contacted Skype so it can address the issue.
According to The Next Web’s post, the reason for the security hole’s operation is simple. “When you use an existing email address to sign up with Skype again, the service emails you a reminder of your username, which is okay, since no one else should have access to your email. Unfortunately, because this method enables you to get a password reset token sent to the Skype app itself, this allows a third party to redeem it and claim ownership of your original username and thus account.”
A reddit post (link unlisted as the post also lists the hijacking process) gives a potential means of preventing the hijacking:
- Log in on skype.com (if you still can, that is)
- Go to the profile, click Edit and add an email address an attacker won't guess.
- Click Save
- Click Edit again, set the new address as Primary
- Click Save, have a laugh at the message, enter the password and click the Enter button or it won't work (like one bug was not enough)
- Delete the old email
As of this posting, Skype is still conducting an internal investigation.
Update 1: A report on Softpedia asserts that Skype may have known about the issue in October.
According to the report from Eduard Kovacs, researchers from Vulnerability Lab told Softpedia about the exploit's existence in October. The researchers also provided additional information to Softpedia that showed proof of concept.
Kovacs adds, "They asked us to hold back on publishing the article until Skype addressed the issue that was caused by an “unsanitized request.” However, at the time, Benjamin Kunz Mejri, the founder of Vulnerability Lab, revealed that all the details of the vulnerability were given to Skype on October 7."
As of this update, TechCrunch reports that Skype has removed password reset options from the service, most likely as a temporary remedy.
Update 2: Softpedia's article linked above has been amended with a clarification. According to the update, Mejri clarified that the exploit spotted by Vulnerability Lab used a different authentication flaw. The flaw outlined in this article appears to be different from the original issue spotted on a Russian forum. - Rappler.com