Skype disables password reset system after vulnerability disclosure - gHacks Tech News

Skype disables password reset system after vulnerability disclosure

Skype's password reset system is vulnerable to an attack that gives attackers full control over affected accounts. The only information attackers need to successfully compromise a Skype account is the victim's email address. Skype checks the email address that you enter when you create a new account. If it already exists in the database, it will give you the option to create a new Skype name using that email address and links both accounts internally.

The issue here is that Skype won't ask you to verify the email address that you have just entered during setup. Instead, you are automatically logged in to the account. While you can't see the contacts, chat history and other information of the original user just yet, the following method gets you full access to that username's account.

When you use Skype's password reset system you are asked to enter the email address associated with the account. Skype interestingly enough sends the password token to the associated email address and displays its in the Skype interface as well. You can use that token to reset the password of the current account or the original account. Skype displays all linked accounts here and once again fails to verify at any stage if you are really the account owner of the original account.

skype password reset

To paraphrase: Skype links accounts automatically when the same email address is entered during account creation. The password recovery system displays the token to change the password in Skype, and not only in the password recovery email. Since both accounts are linked users can reset the password of the original account to one of their liking to gain access to that account.

Skype has reacted to the vulnerability and disabled the service's password reset system for now.  The only option to protect the account at the time of writing is to use an email address that no one knows.

It is likely that Skype is going to fix the system before it is re-enabled. It is easy enough to do so, for instance by requiring confirmation before accounts get linked, or by disabling the option to reset the password from within Skype without confirmation email.

Update: Skype has fixed the issue

Early this morning we were notified of user concerns surrounding the security of the password reset feature on our website. This issue affected some users where multiple Skype accounts were registered to the same email address. We suspended the password reset feature temporarily this morning as a precaution and have made updates to the password reset process today so that it is now working properly. We are reaching out to a small number of users who may have been impacted to assist as necessary. Skype is committed to providing a safe and secure communications experience to our users and we apologize for the inconvenience.

We need your help

Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.

If you like our content, and would like to help, please consider making a contribution:

Comments

  1. Satwant said on November 14, 2012 at 6:52 pm
    Reply

    How can we secure our skype account?

    1. Martin Brinkmann said on November 14, 2012 at 7:05 pm
      Reply

      Microsoft is aware of the issue and they are likely going to fix it very soon.

  2. ilev said on November 14, 2012 at 9:53 pm
    Reply

    New version of Skype Skype 6.0.0.126

  3. ilev said on November 15, 2012 at 7:44 am
    Reply

    This security bug has published and know to Microsoft for 2 month.
    Microsoft fixed it only after thenextweb site has published it as well, yesterday.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

Please note that your comment may not appear immediately after you post it.