Skype users warned of serious security problem - accounts can be hijacked with ease

Filed Under: Featured, Microsoft, Privacy, Vulnerability

SkypeA serious security problem has been uncovered in Skype, which allows hackers to hijack accounts just by knowing users' email addresses.

The Next Web describes how it managed to reproduce the attack, accessing the Skype accounts of staff by just knowing their email address, and then changing the passwords of their "victims" to lock them out.

According to The Next Web:

"The reason this works is simple, but it's still worrying. When you use an existing email address to sign up with Skype again, the service emails you a reminder of your username, which is okay, since no one else should have access to your email. Unfortunately, because this method enables you to get a password reset token sent to the Skype app itself, this allows a third party to redeem it and claim ownership of your original username and thus account."

The issue was reportedly documented on Russian forums months ago, and appears to have been easy to exploit.

Skype has responded to the reports by temporarily disabling password resets for Skype accounts, and published a brief advisory to users:

Skype acknowledges there is a possible problem

"We have had reports of a new security vulnerability issue. As a precautionary step we have temporarily disabled password reset as we continue to investigate the issue further. We apologize for the inconvenience but user experience and safety is our first priority"

Before Skype withdrew the ability for users to reset their passwords, the only protection for users was to change the email address connected with their Skype account to one which was not known by anybody else.

Microsoft-owned Skype has made the headlines for security reasons in the past. For instance, earlier this year it was accused of being slow to fix a flaw that could allow the gathering of information from Skype users, including a victim's city, country, internet provider and IP address.

Update: At 15:28 GMT, Skype said it had resolved the issue. Here's their updated advisory:

"Early this morning we were notified of user concerns surrounding the security of the password reset feature on our website. This issue affected some users where multiple Skype accounts were registered to the same email address. We suspended the password reset feature temporarily this morning as a precaution and have made updates to the password reset process today so that it is now working properly. We are reaching out to a small number of users who may have been impacted to assist as necessary. Skype is committed to providing a safe and secure communications experience to our users and we apologize for the inconvenience.

, ,

You might like

5 Responses to Skype users warned of serious security problem - accounts can be hijacked with ease

  1. JimboC_Security · 709 days ago

    As always Graham and Sophos thanks for the heads up on this. I check the Skype security blog about twice a week but haven’t yet checked it this week ( http://blogs.skype.com/security/ ). Interestingly it is the Heartbeat blog that actually contains the advisory that you have kindly linked to.

    From what I can tell, this is a security change that Skype will need to make on their backend database systems and not a change to the Skype client, so we shouldn’t have to update to resolve this.

    Thanks again.

  2. Michael · 709 days ago

    They just published the update on their Twitter letting users know it's fixed.

  3. Yeah, it always seemed strange that you could sign up for Skype without e-mail confirmation codes.

  4. R Burke · 660 days ago

    My Skype account was hacked again and they refuse to refund the money charge by someone else to the account-cancelling skype and staying away--they suck

  5. Nugroho · 607 days ago

    Had the same problem. Skype customer service asked for ridiculous questions, such as the date or year I first used skype, the order number etc. They just want to take the money. That's all.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.