Skype disables password reset system after vulnerability disclosure
Skype's password reset system is vulnerable to an attack that gives attackers full control over affected accounts. The only information attackers need to successfully compromise a Skype account is the victim's email address. Skype checks the email address that you enter when you create a new account. If it already exists in the database, it will give you the option to create a new Skype name using that email address and links both accounts internally.
The issue here is that Skype won't ask you to verify the email address that you have just entered during setup. Instead, you are automatically logged in to the account. While you can't see the contacts, chat history and other information of the original user just yet, the following method gets you full access to that username's account.
When you use Skype's password reset system you are asked to enter the email address associated with the account. Skype interestingly enough sends the password token to the associated email address and displays its in the Skype interface as well. You can use that token to reset the password of the current account or the original account. Skype displays all linked accounts here and once again fails to verify at any stage if you are really the account owner of the original account.
To paraphrase: Skype links accounts automatically when the same email address is entered during account creation. The password recovery system displays the token to change the password in Skype, and not only in the password recovery email. Since both accounts are linked users can reset the password of the original account to one of their liking to gain access to that account.
Skype has reacted to the vulnerability and disabled the service's password reset system for now. The only option to protect the account at the time of writing is to use an email address that no one knows.
It is likely that Skype is going to fix the system before it is re-enabled. It is easy enough to do so, for instance by requiring confirmation before accounts get linked, or by disabling the option to reset the password from within Skype without confirmation email.
Update: Skype has fixed the issue
AdvertisementEarly this morning we were notified of user concerns surrounding the security of the password reset feature on our website. This issue affected some users where multiple Skype accounts were registered to the same email address. We suspended the password reset feature temporarily this morning as a precaution and have made updates to the password reset process today so that it is now working properly. We are reaching out to a small number of users who may have been impacted to assist as necessary. Skype is committed to providing a safe and secure communications experience to our users and we apologize for the inconvenience.
Are these articles AI generated?
Now the duplicates are more obvious.
This is below AI generated crap. It is copy of Microsoft Help website article without any relevant supporting text. Anyway you can find this information on many pages.
Yes, but why post the exact same article under a different title twice on the same day (19 march 2023), by two different writers?
1.) Excel Keyboard Shortcuts by Trevor Monteiro.
2.) 70+ Excel Keyboard Shortcuts for Windows by Priyanka Monteiro
Why oh why?
Yeah. Tell me more about “Priyanka Monteiro”. I’m dying to know. Indian-Portuguese bot ?
Probably they will announce that the taskbar will be placed at top, right or left, at your will.
Special event by they is a special crap for us.
If it’s Microsoft, don’t buy it.
Better brands at better prices elsewhere.
All new articles have zero count comments. :S
WTF? So, If I add one photo to 5 albums, will it count 5x on my storage?
It does not make any sense… on google photos, we can add photo to multiple albums, and it does not generate any additional space usage
I have O365 until end of this year, mostly for onedrive and probably will jump into google one
Photo storage must be kept free because customers chose gadgets just for photos and photos only.
What a nonsense. Does it mean that albums are de facto folders with copies of our pictures?
Sounds exactly like the poor coding Microsoft is known for in non-critical areas i.e. non Windows Core/Office Core.
I imagine a manager gave an employee the task to create the album feature with hardly any time so they just copied the folder feature with some cosmetic changes.
And now that they discovered what poor management results in do they go back and do the album feature properly?
Nope, just charge the customer twice.
Sounds like a go-getter that needs to be promoted for increasing sales and managing underlings “efficiently”, said the next layer of middle management.
When will those comments get fixed? Was every editor here replaced by AI and no one even works on this site?
Instead of a software company, Microsoft is now a fraud company.
For me this is proof that Microsoft has a back-door option into all accounts in their cloud.
quote “…… as the MSA key allowed the hacker group access to virtually any cloud account at Microsoft…..”
unquote
so this MSA key which is available to MS officers can give access to all accounts in MS cloud.This is the backdoor that MS has into the cloud accounts. Lucky I never got any relevant files of mine in their (MS) cloud.
>”Now You: what is your theory?”
That someone handed an employee a briefcase full of cash and the employee allowed them access to all their accounts and systems.
Anything that requires 5-10 different coincidences to happen is highly unlikely. Occam’s razor.
Good reason to never login to your precious machine with a Microsoft a/c a.k.a. as the cloud.
The GAFAM are always very careless about our software automatically sending to them telemetry and crash dumps in our backs. It’s a reminder not to send them anything when it’s possible to opt out, and not to opt in, considering what they may contain. And there is irony in this carelessness biting them back, even if in that case they show that they are much more cautious when it’s their own data that is at stake.