Skype Disables Password Resets After Huge Security Hole Discovered 65
another random user writes with news of a vulnerability in the Skype password reset tool "All you need to do is register a new account using that email address, and even though that address is already used (and the registration process does tell you this) you can still complete the new account process and then sign in using that account Info (original post in Russian)"
concealment adds a link to another article with an update that Skype disabled the password reset page as a temporary fix.
Re:Defective Microsoft (Score:5, Insightful)
I almost feel sorry for them discovering this just after they discontinued Microsoft Messenger and moved people on to Skype. To be fair I expect this hole existed when they brought Skype.
I’m not so sure about that, y’know. It would likely have been discovered by now.
I expect it’s a side effect of the migration of MSN users to Skype as it likely requires changes to both Skype and its backend.
It's not new. I have an email address that people assume doesn't exist and rt they sign up for things all the time. About two years ago, I received a password reset mail from Skype. When I went to reset it (as I do with every random account people sign up for with my email), they gave me the option to reset about a half dozen accounts. I now maintain a list of burner Skype accounts that had previously used my address.
Fun fact: you are limited to 4 successful resets, per email address, per day.
Re:HurrDurr 101? (Score:5, Insightful)
Now if you were just signed up with some random guy's email, it wouldn't be such a big deal, but the BIG security issue here is that for whatever reason Skype will send the password reset message to the random guy's email AND any Skype client associated with the email, and then almost worse, let you pick which account on the email to reset.
If the password reset message was just sent to the email, it would be fine, but sending it to an account that doesn't have a verified email is an issue.