Forgot your password?
typodupeerror
Communications Security IT

Skype Disables Password Resets After Huge Security Hole Discovered 65

Posted by Unknown Lamer
from the time-to-get-a-landline dept.
another random user writes with news of a vulnerability in the Skype password reset tool "All you need to do is register a new account using that email address, and even though that address is already used (and the registration process does tell you this) you can still complete the new account process and then sign in using that account Info (original post in Russian)" concealment adds a link to another article with an update that Skype disabled the password reset page as a temporary fix.
This discussion has been archived. No new comments can be posted.

Skype Disables Password Resets After Huge Security Hole Discovered

Comments Filter:
  • I could have been easily hit by that one...

    • Re:Phew (Score:5, Funny)

      by mr1911 (1942298) on Wednesday November 14, 2012 @11:40AM (#41980445)

      I could have been easily hit by that one...

      Think you weren't? I've been dialing your contacts all morning while dressed appropriately for chatroulette. Your grandma did not look happy, but your wife stayed connected for 45 minutes...

      • Of course I already checked that I had access, you can't steal an account this way without changing the password which would lock me out. And you incorrectly assumed that I have a wife ;-)

  • then there are epic lulz

  • by Anonymous Coward

    ...take a deep breath, then get ready to rant!

    Security is for pussies...!

  • by SuperCharlie (1068072) on Wednesday November 14, 2012 @11:04AM (#41980229)
    If I understand this "security hole" correctly.. and they have already popped the data to let you know the email is taken.. isn't it pretty much close to nobrainer not to go ahead with that insert query? I may be a simple caveman.. but cmon.. even in my worst spaghetti code this is solidly on the durr side of Hurr-Durrrr
    • Re:HurrDurr 101? (Score:5, Insightful)

      by Ksevio (865461) on Wednesday November 14, 2012 @12:09PM (#41980729) Homepage
      That part actually makes sense. Skype allows you have have multiple accounts tied to the same email (some people might use that to separate contacts but maintain the same email). To make it easy to use, you don't have to verify the email belongs to you, but email is really only for password resets so it's not a big deal if you put a bogus email in.

      Now if you were just signed up with some random guy's email, it wouldn't be such a big deal, but the BIG security issue here is that for whatever reason Skype will send the password reset message to the random guy's email AND any Skype client associated with the email, and then almost worse, let you pick which account on the email to reset.

      If the password reset message was just sent to the email, it would be fine, but sending it to an account that doesn't have a verified email is an issue.
      • by rhizome (115711)

        I'm not sure I understand this.

        So, it appears that Friendster still exists, and that it's quite popular in Southeast Asia. I have a domain that is apparently a natural one to use by teenage girls in Indonesia when creating their Friendster accounts. I have received many, many notification emails associated with these accounts, after which I request a password reset, receive the email, then log in and lock the account down, typically with a "HURR DURR I DON'T KNOW WHAT EMAIL IS" type status message. Is this

      • That part actually makes sense. Skype allows you have have multiple accounts tied to the same email (some people might use that to separate contacts but maintain the same email). To make it easy to use, you don't have to verify the email belongs to you, but email is really only for password resets so it's not a big deal if you put a bogus email in.

        How about this for a simple fix to still allow this multi-account feature: people can create as many accounts as they want to with the same email address, but in order to do that they need to be logged in to one of their existing accounts. You don't get to just sign up with a new account anonymously and use whatever email address is already linked to an account.

  • by dalias (1978986) on Wednesday November 14, 2012 @11:05AM (#41980235)
    I have multiple skype accounts created on the same email address (for different people, however) and it does not allow one to login as the other. It's possible to password-reset any of them independently.
    • by Anonymous Coward

      If dalias is correct in saying that the accounts using the same email address are independent, and that it follows that an account cannot be hijacked, then all that's really happening is a new account is created with an incorrect email address. The failure in this case would be in accepting this submission to slashdot.

    • by SpzToid (869795)

      Statistically speaking, you seem correct. Consider the brute-force possibilities of all those many millions of Skype users, some with dubious motivations, and how many of them must have tried this at least once and paid attention?

      Or, maybe they did, and just kept quiet about it?

      And profited?

      Think about the billions.

      Skype was never exactly motivated to further innovate, or engineer to a higher level; possibly with security enhancements. Skype has always been about the numbers. The numbers also indicate someo

    • by Anonymous Coward on Wednesday November 14, 2012 @12:12PM (#41980759)

      You miss the point completely.

      It's password reset token notification with link (like this [imgur.com]) that appeared in Skype clients of anyone who has this email set as primary. When you click that link it led to password reset page with a dropdown box listing all accounts registered with this email and "reset password" button.

      The problem is that they don't require verification when setting a primary email.

  • What kind of QA system do they have in place at Skype---or maybe they should start one?

  • Xbox Live (Score:2, Interesting)

    by asavage (548758)
    Microsoft also has issues with Xbox Live although not close to as bad. Some guy when he bought Xbox Live Gold accidentally entered my email address which has linked his 5 year account to my email. Last weekend I bought a game on steam which requires Games for Windows Marketplace. Since I had to have an account to play the game I entered my email and it said I already had an account so I did a password reset. This other guy has now lost his Xbox Live Gold account with 7 months left already paid for and s
    • Uh, you do know you could just change the email associated with the account ( https://commerce.microsoft.com/PaymentHub/Profile [microsoft.com] ) for the guy, then give him that account and set up a new one with your email address, right?
      • +1 for nice guys.
      • by asavage (548758)
        I can't do that as I lose access the game I just bought.
    • Someone signed up for a facebook account with my e-mail address. I let it go for a year or so but then the FB spam became too annoying so I reset the password and deactivated his account for him.

  • As minimal summaries go this one will take some beating.

    "All you need to do is register a new account using that email address

    Wait, which email address? (the person whose account who want to gain access to, says the article)

    and even though that address is already used (and the registration process does tell you this) you can still complete the new account process and then sign in using that account Info (original post in Russian)"

    Right, and then what? You seem to have missed the entire rest of the process where you actually carry out the password reset trick. Make me read the bloody article indeed...

    The reason this works is simple, but it’s still worrying. When you use an existing email address to sign up with Skype again, the service emails you a reminder of your username, which is okay, since no one else should have access to your email. Unfortunately, because this method enables you to get a password reset token sent to the Skype app itself, this allows a third party to redeem it and claim ownership of your original username and thus account.

    Or something like that.

  • Skype has also been plagued with billing issues. I had a subscription years ago, that bank card is now expired. I cancelled the subscription, years ago.. as soon as Microsoft bought Skype, I started getting emails saying my card was declined, with no recourse, no way to cancel the subscription they tried to start up on me again...

Surprise your boss. Get to work on time.

Working...