Please create an account to participate in the Slashdot moderation system


Forgot your password?
Communications Security IT

Skype Disables Password Resets After Huge Security Hole Discovered 65

another random user writes with news of a vulnerability in the Skype password reset tool "All you need to do is register a new account using that email address, and even though that address is already used (and the registration process does tell you this) you can still complete the new account process and then sign in using that account Info (original post in Russian)" concealment adds a link to another article with an update that Skype disabled the password reset page as a temporary fix.
This discussion has been archived. No new comments can be posted.

Skype Disables Password Resets After Huge Security Hole Discovered

Comments Filter:
  • by junk ( 33527 ) on Wednesday November 14, 2012 @11:04AM (#41980219)

    I almost feel sorry for them discovering this just after they discontinued Microsoft Messenger and moved people on to Skype. To be fair I expect this hole existed when they brought Skype.

    I’m not so sure about that, y’know. It would likely have been discovered by now.

    I expect it’s a side effect of the migration of MSN users to Skype as it likely requires changes to both Skype and its backend.

    It's not new. I have an email address that people assume doesn't exist and rt they sign up for things all the time. About two years ago, I received a password reset mail from Skype. When I went to reset it (as I do with every random account people sign up for with my email), they gave me the option to reset about a half dozen accounts. I now maintain a list of burner Skype accounts that had previously used my address.

    Fun fact: you are limited to 4 successful resets, per email address, per day.

  • Re:HurrDurr 101? (Score:5, Insightful)

    by Ksevio ( 865461 ) on Wednesday November 14, 2012 @12:09PM (#41980729) Homepage
    That part actually makes sense. Skype allows you have have multiple accounts tied to the same email (some people might use that to separate contacts but maintain the same email). To make it easy to use, you don't have to verify the email belongs to you, but email is really only for password resets so it's not a big deal if you put a bogus email in.

    Now if you were just signed up with some random guy's email, it wouldn't be such a big deal, but the BIG security issue here is that for whatever reason Skype will send the password reset message to the random guy's email AND any Skype client associated with the email, and then almost worse, let you pick which account on the email to reset.

    If the password reset message was just sent to the email, it would be fine, but sending it to an account that doesn't have a verified email is an issue.

Pascal is not a high-level language. -- Steven Feiner