[Infowarrior] - Skype IDs hijackable by ANY FOOL who knows your email address

[Richard Forno]

Skype IDs hijackable by ANY FOOL who knows your email address

By John Leyden • Get more from this author

Posted in Security, 14th November 2012 12:25 GMT

A vulnerability in Skype allows anyone to hijack its users' accounts just by knowing or guessing a punter's registered email address.

The embarrassing security hole, which is trivial to abuse, was first discussed on a Russian underground forum three months ago. Last night a Russian blog publicised the bug, and details of the flaw circulated the internet. The hijack is triggered by signing up for a new Skype account using the email address of another registered user. No access to the victim's inbox is required; one just simply needs to know the address.

Creating an account this way generates a warning that the email address is already associated with another user, but crucially the voice-chat website does not prevent the opening of the new account. From there it's possible to request a new password for the victim's account; a security token is sent to the attacker's Skype client, allowing the login credential to be reset.

Armed with this token, it is possible to download private chat logs for the compromised account while the actual owner is locked out.

In a holding statement, the Microsoft-owned VoIP biz confirmed it has disabled the password reset mechanism as a temporary measure:

< -- >

http://www.theregister.co.uk/2012/11/14/skype_disables_password_reset_bug/

---
Just because i'm near the punchbowl doesn't mean I'm also drinking from it.