Skype vulnerability allowed for account hijacking using only email address.
A worryingly trivial vulnerability in VoIP service
Skype
became public this morning, which allowed anyone to take over a user’s
Skype
account using nothing but the email address linked to the account.
The method – which was posted on Russian underground forums a few months ago and allegedly used to hijack the account of the Russian opposition leader – consisted of creating a new account using the email address that was used by the victim to create their account. While
Skype
gives a warning that the address is already in use, it does not prevent the new account being created; the email address is never verified. Once an account had been created, the attacker only had to log into
Skype
and request a password reset using a web browser, which resulted in the
Skype
interface displaying a one-time password that allowed the attacker to take over the victim’s account.
Skype
‘s owner
Microsoft
responded quickly when the vulnerability was made public, and closed the link between the password reset in the web browser and the
Skype
interface; indeed, we were not able to reproduce the method. However, account creation using a previously used email address is still possible.
While vulnerabilities like this – that don’t require any technical knowledge to exploit – are rare, account hijacks based solely on the knowledge of an email address linked to the account are not unique: many high-profile cases of account compromises have shown that such knowledge helps a great deal in attacks using social engineering. Users would thus do well to consider using a unique, hard-to-guess email address for important accounts: password reset features have long been known to be a security weakness, so making it harder to have a password reset is a sensible thing to do.
In the meantime, we hope that
Microsoft
will make new
Skype
accounts verify the email address linked to the account, regardless of whether the address has been used before. Currently,
Skype
‘s ability to search users by their email address makes it easy to impersonate someone on the service – the fact that we were able to create a
Skype
account using Bill Gates’s email address and then find him using a search on that address is a little worrying.
More at
Kaspersky
‘s
Securelist
blog
here
with the official statement from
Microsoft
here
.
Posted on 14 November 2012 by
Martijn Grooten
Leave a Reply