Skype’s Super-Easy Account Hijacking Vulnerability

So not only does (did?) Skype allow remote code execution on your computer, lets anyone find out your IP address when you’re logged in, as of late makes a point of routing your data through central servers for easy tapping… but now it turns out anyone who knows the /email address/ behind a Skype account could hijack it. While Microsoft’s disabled the “feature,” it circulated in the Russian computer underground for three months before coming to light.

So if your account went AWOL mysteriously, you may have an unshaven vodka-swilling chain-smoking mob-connected stereotype named Ivan to blame. And plenty of decentralized open-source alternatives to switch to, though you’ll have to learn a bit about SIP.

http://www.theregister.co.uk/2012/11/14/skype_disables_password_reset_bug/

“A vulnerability in Skype allows anyone to hijack its users’ accounts just by knowing or guessing a punter’s registered email address.

The embarrassing security hole, which is trivial to abuse, was first discussed on a Russian underground forum three months ago. Last night a Russian blog publicised the bug, and details of the flaw circulated the internet. The hijack is triggered by signing up for a new Skype account using the email address of another registered user. No access to the victim’s inbox is required; one just simply needs to know the address.

Creating an account this way generates a warning that the email address is already associated with another user, but crucially the voice-chat website does not prevent the opening of the new account. From there it’s possible to request a new password for the victim’s account: a security token is sent to the attacker’s Skype client, allowing the login credential to be reset.

Armed with this token, it is also possible to download private chat logs for the compromised account while the genuine owner is locked out.”

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: