Skype Disables Password Resets After Huge Security Hole Discovered 65
another random user writes with news of a vulnerability in the Skype password reset tool "All you need to do is register a new account using that email address, and even though that address is already used (and the registration process does tell you this) you can still complete the new account process and then sign in using that account Info (original post in Russian)"
concealment adds a link to another article with an update that Skype disabled the password reset page as a temporary fix.
Re: (Score:2)
Which part of "Microsoft Product" did you not understand?
I almost feel sorry for them discovering this just after they discontinued Microsoft Messenger and moved people on to Skype. To be fair I expect this hole existed when they brought Skype.
Re: (Score:2, Funny)
I'd ask for a refund!
Re: (Score:1, Informative)
Bought*
I wish people would get this mix up of words right. It's like when someone says "me either" in response to something like "I dont like that":
- I don't like bees
- Nah, me either, i hate them.
It's neither dammit!!
Re:Defective Microsoft (Score:5, Funny)
Your to fussy. I could care less.
Re: (Score:3, Funny)
Guys, loose this off-topic subthread already.
Re: (Score:2)
Too late, it's already been set free.
Re: (Score:1)
LOL!
Unfortunately, it's an AMERICAN thing.
Just like the idiots who keep saying 'more THAT' or 'MORE then', instead of 'more THAN'.
How can anybody not know the difference between those three words? Obviously they don't read any printed media, just trash off the internet.
Or people who say "this person that I just met". It's "who", or if you really understand grammar then it's "whom". "That" doesn't work unless you just "met" an inanimate object.
Re: (Score:1)
Re: (Score:2)
if you really understand grammar
I don't think you can "understand" grammar (*) any more than you can "understand" vocabulary, as in why the sequence D-O-G represents a cute fluffy animal that barks and the sequence C-A-T represents a cute fluffy animal that meows. Grammar simply IS what it is, and sometimes it changes to something else, just like vocabulary. Wait a century and watch "whom" sink into oblivion.
(*) Unless, of course, we're talking about Universal Grammar.
Re: (Score:2)
I think "understand" makes sense in this context. You are arguing that spelling, or perhaps definition, is simply memorisation. In this reductive sense everything, like the rules of physics, is simply memorised rather than understood. Grammar, though, requires a deeper knowledge of language concepts (in this case subject and object pronouns) and context than spelling or noun definition.
You are probably correct about "whom" disappearing - it's almost unused in common language already. English seems to be
Re: (Score:2)
I think "understand" makes sense in this context.
I beg to differ, and here is why...
You are arguing that spelling, or perhaps definition, is simply memorisation.
In any language, some aspects are governed by universal rules and the rest is purely incidental. Not surprisingly, a large part of what we call grammar is incidental. There's no reason, for example, for English to have exactly three verb tenses (for a certain value of "verb tense") referring to past events, having the precise semantic nuances they have in modern English. (For a more academic value of "verb tense", English only has two verb tenses, the past one and the inde
Re: (Score:3)
It is basically the difference between knowing their shit and knowing they're shit.
Re: (Score:3)
Bought*
I wish people would get this mix up of words right. It's like when someone says "me either" in response to something like "I dont like that":
- I don't like bees - Nah, me either, i hate them.
It's neither dammit!!
It's damn it...
Re: (Score:2)
Oh come on now. I thought it worked just fine.
MS Exec: Should we get Skype?
Dylan Hunt: Lets bring it!
MS Exec: Pwnt!
Re: (Score:3)
I almost feel sorry for them discovering this just after they discontinued Microsoft Messenger and moved people on to Skype. To be fair I expect this hole existed when they brought Skype.
I’m not so sure about that, y’know. It would likely have been discovered by now.
I expect it’s a side effect of the migration of MSN users to Skype as it likely requires changes to both Skype and its backend.
Re:Defective Microsoft (Score:5, Insightful)
I almost feel sorry for them discovering this just after they discontinued Microsoft Messenger and moved people on to Skype. To be fair I expect this hole existed when they brought Skype.
I’m not so sure about that, y’know. It would likely have been discovered by now.
I expect it’s a side effect of the migration of MSN users to Skype as it likely requires changes to both Skype and its backend.
It's not new. I have an email address that people assume doesn't exist and rt they sign up for things all the time. About two years ago, I received a password reset mail from Skype. When I went to reset it (as I do with every random account people sign up for with my email), they gave me the option to reset about a half dozen accounts. I now maintain a list of burner Skype accounts that had previously used my address.
Fun fact: you are limited to 4 successful resets, per email address, per day.
Re: (Score:2)
I have an email address that people assume doesn't exist
With a username like "junk"? Inconceivable! There's someone out there who's actually checking junk@junk.com?
Re: (Score:1)
If you are god@heaven.com, then it is my spam you get :-P
Re: (Score:2)
Oooh, that is a fun fact! You must have been bored though?
Usually when things like this happen, people start looking for places to poke fun, like bill.gates@live.com etc. I wonder who balmer has in his skype contact list?
Re: (Score:2)
Satan@Hell.com
Re:Defective Microsoft (Score:5, Interesting)
To be fair I expect this hole existed when they brought Skype
That doesn't seem likely. In fact, I think this is a side effect of Microsoft preparing to integrate the 100 million msn messenger users into Skype. Somebody has been trying to ensure that the accounts will overlap nicely and has obviously made a huge mistake which allows this to happen.
Phew (Score:1)
I could have been easily hit by that one...
Re:Phew (Score:5, Funny)
I could have been easily hit by that one...
Think you weren't? I've been dialing your contacts all morning while dressed appropriately for chatroulette. Your grandma did not look happy, but your wife stayed connected for 45 minutes...
Re: (Score:2)
Of course I already checked that I had access, you can't steal an account this way without changing the password which would lock me out. And you incorrectly assumed that I have a wife ;-)
Re: (Score:3, Funny)
It already has been. Anonymous Cowards are everywhere! We are Legion!
there are security exploits (Score:1)
then there are epic lulz
Skype... (Score:1)
...take a deep breath, then get ready to rant!
Security is for pussies...!
HurrDurr 101? (Score:5, Funny)
Re: (Score:2)
Why have a unique key on email field when not having it makes the checks so much "better"? :)
A unique key for emails like 'AnonymousCoward@example.org', 'ANONYMOUSCOWARD@EXAMPLE.ORG', 'aNoNyMoUsCoWaRd@eXaMpLe.OrG'?
Mayhaps you mean a unique key on upper(email field).
Re:HurrDurr 101? (Score:5, Insightful)
Now if you were just signed up with some random guy's email, it wouldn't be such a big deal, but the BIG security issue here is that for whatever reason Skype will send the password reset message to the random guy's email AND any Skype client associated with the email, and then almost worse, let you pick which account on the email to reset.
If the password reset message was just sent to the email, it would be fine, but sending it to an account that doesn't have a verified email is an issue.
Re: (Score:2)
I'm not sure I understand this.
So, it appears that Friendster still exists, and that it's quite popular in Southeast Asia. I have a domain that is apparently a natural one to use by teenage girls in Indonesia when creating their Friendster accounts. I have received many, many notification emails associated with these accounts, after which I request a password reset, receive the email, then log in and lock the account down, typically with a "HURR DURR I DON'T KNOW WHAT EMAIL IS" type status message. Is this
Re: (Score:2)
That part actually makes sense. Skype allows you have have multiple accounts tied to the same email (some people might use that to separate contacts but maintain the same email). To make it easy to use, you don't have to verify the email belongs to you, but email is really only for password resets so it's not a big deal if you put a bogus email in.
How about this for a simple fix to still allow this multi-account feature: people can create as many accounts as they want to with the same email address, but in order to do that they need to be logged in to one of their existing accounts. You don't get to just sign up with a new account anonymously and use whatever email address is already linked to an account.
I don't entirely buy this... (Score:5, Interesting)
Re: (Score:1)
If dalias is correct in saying that the accounts using the same email address are independent, and that it follows that an account cannot be hijacked, then all that's really happening is a new account is created with an incorrect email address. The failure in this case would be in accepting this submission to slashdot.
Re: (Score:2)
Statistically speaking, you seem correct. Consider the brute-force possibilities of all those many millions of Skype users, some with dubious motivations, and how many of them must have tried this at least once and paid attention?
Or, maybe they did, and just kept quiet about it?
And profited?
Think about the billions.
Skype was never exactly motivated to further innovate, or engineer to a higher level; possibly with security enhancements. Skype has always been about the numbers. The numbers also indicate someo
Re:I don't entirely buy this... (Score:5, Informative)
You miss the point completely.
It's password reset token notification with link (like this [imgur.com]) that appeared in Skype clients of anyone who has this email set as primary. When you click that link it led to password reset page with a dropdown box listing all accounts registered with this email and "reset password" button.
The problem is that they don't require verification when setting a primary email.
Don't they test anything? (Score:2)
What kind of QA system do they have in place at Skype---or maybe they should start one?
Re:Don't they test anything? (Score:5, Funny)
I'm sure they'll get back to it soon though!
Xbox Live (Score:2, Interesting)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Someone signed up for a facebook account with my e-mail address. I let it go for a year or so but then the FB spam became too annoying so I reset the password and deactivated his account for him.
A *little* more information would have been nice.. (Score:2)
"All you need to do is register a new account using that email address
Wait, which email address? (the person whose account who want to gain access to, says the article)
and even though that address is already used (and the registration process does tell you this) you can still complete the new account process and then sign in using that account Info (original post in Russian)"
Right, and then what? You seem to have missed the entire rest of the process where you actually carry out the password reset trick. Make me read the bloody article indeed...
The reason this works is simple, but it’s still worrying. When you use an existing email address to sign up with Skype again, the service emails you a reminder of your username, which is okay, since no one else should have access to your email. Unfortunately, because this method enables you to get a password reset token sent to the Skype app itself, this allows a third party to redeem it and claim ownership of your original username and thus account.
Or something like that.
Re:A *little* more information would have been nic (Score:4, Informative)
RTFA! It's all clearly explained there!
Billing issues (Score:2)