What we have here is a failure to communicate

Today a major Skype vulnerability was reported and quickly fixed. http://thenextweb.com/microsoft/2012/11/14/security-hole-allows-anyone-to-hijack-your-skype-account-using-only-your-email-address/?fromcat=all

The problem stemmed from the fact that Skype doesn’t validate emails.

When you sign up for many services, you enter an email address and then click a link that the company sends to that address to validate that it is an address you control.
Skype just signs you up and sends a welcome email to the address you entered.

So what happens in this attack is that someone signs up an account using your email address. They then add a secondary email to the account, their own.
They can request a password reset from their account, but because of the email linkage it will also affect your Skype account. If the attacker knows your Skype username, they can now take it over.

It’s surprising that something like this wasn’t publicized earlier, but there’s not too much for an attacker to gain from a Skype account. However having little value is no excuse for overlooking basic security.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s