A new security hole has been discovered in Microsoft’s Skype that allows anyone to change your password and thus take over your account. The issue was first posted on a Russian forum two months ago and has been confirmed by The Next Web (we have not linked to any of the blogs or posts detailing the exploit because it is very easy to reproduce).
Update: Skype has fixed the issue, overhauling its password reset process. More here.
We’ve been in touch with Skype over the past few hours to give them a chance to address this vulnerability. The company has informed us it is currently conducting an internal investigation.
To exploit this flaw, all you need to know is your victim’s email address tied to their Skype account. To protect yourself, you would have to change your email address to one that nobody knows or could easily guess, but most likely Microsoft will get around to fixing the problem before that becomes necessary.
We reproduced the attack, step-by-step, and managed to access the Skype accounts of TNW writer (with permission) Josh Ong (as well as editor Matt Brian to verify again) with only their email addresses. Essentially, that email address is used to create a new account with your own email address tied to it. Then, minus a couple of key steps, you can use a password reset token to gain access to your target’s account.
Having done all that, I could see my username for Josh’s account, and Josh’s username (for the first time – note, I had no idea what it was until this point) for his account, as well as change the password for whichever I pleased. I changed Josh’s, locking him out of the account and letting me in. Since I did this before Josh could, and he would have to be watching his email account “like a hawk” (his words, not mine) to beat me, I essentially gained exclusive access to his account. He couldn’t log back in until I gave him the new password.
The reason this works is simple, but it’s still worrying. When you use an existing email address to sign up with Skype again, the service emails you a reminder of your username, which is okay, since no one else should have access to your email. Unfortunately, because this method enables you to get a password reset token sent to the Skype app itself, this allows a third party to redeem it and claim ownership of your original username and thus account.
This should not be allowed, as it lets anyone create another username for your Skype account by just knowing your email address. The exposer of the vulnerability says that it has been reported but the hole is clearly still open.
In the meantime, the best way to avoid being targeted by this is to use a different email address for your Skype account: change it over on Skype.com now to one only you know about. To do this, click on the “Sign In” in the top-right corner, click on the “Profile” link in the middle of the page under “Account Details,” and scroll down to “Contact details.” From there, click on “Add email address,” add one, scroll to the bottom, and hit “Save.” One last time, scroll to the bottom again, click on “Edit,” then finally scroll up and choose “Set as primary email” beside your covert email address.
We have contacted both Skype and Microsoft about this issue in the hopes that it can be corrected sooner rather than later. We will update you when we learn more.
Update: Skype shared the following statement with The Next Web:
“We have had reports of a new security vulnerability issue. As a precautionary step we have temporarily disabled password reset as we continue to investigate the issue further. We apologize for the inconvenience but user experience and safety is our first priority”
Image credit: Nick Benjaminsz