Skype Experiences Security Vulnerability, Microsoft Patches it Up

From DailyTech: Skype had a security flaw that allowed hackers to access and control accounts with only the help of an email address.

The Next Web learned of the security hole and reproduced the attack to see if it worked. The Next Web writer Emil Protalinski used co-worker Josh Ong as a pretend target, where he created a new Skype account with Ong's email address and tied his own to it as well.

A couple of steps later, Protalinski was able to see both his new username with Ong's email address as well as Ong's original username. More importantly, he received the option to change the password to Ong's account.

From there, Protalinski changed the password and locked Ong out of his account. He couldn't log back in until given the password by Protalinski.

"The reason this works is simple, but it’s still worrying," wrote Protalinski. "When you use an existing email address to sign up with Skype again, the service emails you a reminder of your username, which is okay, since no one else should have access to your email. Unfortunately, because this method enables you to get a password reset token sent to the Skype app itself, this allows a third party to redeem it and claim ownership of your original username and thus account."

The Next Web contacted Microsoft, which owns Skype, about the vulnerability. Microsoft responded saying that it was conducting an internal investigation. Later, it plugged the security hole and said only a "small number of users" had been affected.

View: Article @ Source Site