Posted by: Ken Harthun
Secure Computing, Security, Security best practice, Vulnerabilities
A serious security flaw in Microsoft-owned Skype allowed hackers to hijack accounts just by knowing the user’s email addresses. Details from this article at TechCrunch:
Skype faced a fairly serious security threat today [Nov. 14, 2012], thanks to a flaw in the system replicated by The Next Web that allowed people to sign up with email addresses already in use by other users and then force password resets for any accounts associated with those emails. Reset tokens could be delivered to the Skype client itself, meaning people didn’t need access to email accounts to reset passwords associated with them.
Very shortly after The Next Web notified Microsoft, the issue was fixed.
The flaw was actually more of a design issue than a security hole, according to Steve Gibson of Security Now! He discussed this flaw in Security Now! Episode #378:
Microsoft shut down the vulnerability, the aspect of vulnerability, which was password recovery. They took that part offline immediately, then looked at the problem, understood it, fixed it, and then brought password recovery back. So that’s what I mean by this being a design problem. As soon as someone told them, they’re like, oh, my god. And so it was easy to fix.