
Skype vulnerability allowing hijacking of an account if you know just the email - jtraub
http://pixus-ru.blogspot.ru/2012/11/hack-any-skype-account-in-6-easy-steps.html
======
kokoge
OP at <http://habrahabr.ru/post/158545/> (russian) says that he reported this
vulnerability about 3 month ago. The lack of any reaction is unbelievable.

Hint: you can change your email to something like user+skype@gmail.com to
avoid registration of new email address.

~~~
jtraub
Even now Skype reaction is unbelievable. They are "investigating the issue"
for almost 2 hours.

~~~
Nux
Stop saying "Skype", use "Microsoft" instead, and it's not unbelievable at
all.

~~~
ghshephard
Except that Microsoft has a pretty stellar reputation when it comes to
security procedures. They're well known as being among the best in the
industry.

~~~
jxi
Well, they've certainly cleaned up their act, but I definitely wouldn't say
that they're known to be among the best in the industry.. I remember just a
few year ago, you could get to ring0 in Windows and install a rootkit just via
the registry.. Let's not forget all the hotmail vulnerabilities similar to
this that have been active for an indeterminate amount of time..

~~~
coolnow
A few years is an enormous period of time especially when it comes to tech and
infosec.

------
timf
Microsoft reports they have disabled password resets during the investigation:
<http://heartbeat.skype.com/2012/11/security_issue.html>

~~~
timf
That text was replaced, here is the old text:

    
    
        We have had reports of a new security vulnerability issue. As a precautionary
        step we have temporarily disabled password reset as we continue to investigate
        the issue further. We apologize for the inconvenience but user experience and
        safety is our first priority

------
lucian1900
It's even worse! Their website is so broken you can't change your password
(new password fields are disabled) and you can't set a new email address as
primary (the "make primary" button only appears when the new email address
field is empty). Also, if you first add a new email address, save, then set it
to primary, it disappears. Wtf.

I see no recourse other than closing my account, if that's still possible.
[edit] No, not even that is possible.

~~~
anonymoushn
This appears to be a bug.

After adding the email address and clicking save, logging out, and logging in,
I found the email address was successfully added. At this point I could change
it to the primary one, click save, paste my password, and click the button on
the password prompt to successfully change my primary email address. If I
tried to add the email and make it primary in one session, it would not work.
If I entered my password and hit enter, it would not work.

~~~
jrabone
Doesn't work for me - I can add a new email address, but when I sign out and
back in it's vanished. Feels like they might have disabled parts of the
account management system.

~~~
zamryok
The site is very buggy indeed. But it is possible to change the primary email
adress if, when you are prompted to retype your password, you "type password
and click button by mouse, not by "Enter" key" (as the post says). Maybe that
would work for you...

------
timf
Skype reports this has been resolved:
<http://heartbeat.skype.com/2012/11/security_issue.html>

    
    
        [UPDATE:14/11/2012@15:28GMT] 
        Early this morning we were notified of user concerns surrounding the security
        of the password reset feature on our website. This issue affected some users
        where multiple Skype accounts were registered to the same email address. We
        suspended the password reset feature temporarily this morning as a precaution
        and have made updates to the password reset process today so that it is now
        working properly. We are reaching out to a small number of users who may
        have been impacted to assist as necessary. Skype is committed to providing a
        safe and secure communications experience to our users and we apologize
        for the inconvenience.

~~~
meritt
Good to hear they fixed it but it was responsibly disclosed a month ago and
Skype did nothing whatsoever. We really need a better way to hold a company
accountable for appropriately reacting to proven security threats without
requiring a public disclosure.

------
ivan_krechetov
I confirm. Just tested on Win7, Skype 6.0.0.120

The notification about the password reset token does appear in the Skype
client, but no reset code is shown at first. Then I've pressed Ctrl+F5 on the
home screen, skipped the Facebook thing, and here they are!

<http://www.xiag.ch/share/2012-11-14_1021.png>

On OSX doesn't work, though. The password token notification doesn't come.

~~~
suchitpuri
also it seems the password reset link, is not working for me.

~~~
jtraub
MS is fixing the problem right now. They turned off password recovery form few
minutes ago.

------
jere
By the way, Skype's registration page has inexplicable password rules.

 _aaaaa1_ \- strength: medium

 _aaaaa12345_ \- strength: poor

 _=aStu!et$aQ@212345_ \- strength: poor

~~~
lambda
Yeah, at my last job, someone implemented a password strength checking feature
that would actually reject stronger passwords. It required:

1\. At least 3 out of the 4 categories uppercase, lowercase, digit, special
character

2\. No character could be repeated more than two times

3\. No sequence of 3 or more increasing or decreasing letters or numbers could
be present (and not even consecutive: "ta/Tbs#cz" would be rejected because it
contains "abc").

4\. No English words or names could be present.

5\. It must be at least 8 characters

There may have been other restrictions too, I don't recall the exact details.

This meant that perfectly reasonable passphrases (like "correct horse battery
staple") would be rejected. Even if you tried to come up with a good password
that met the rule, you might fail by accident because "89cRbcThe*)" has the
word "The" in it. You would generally have to come up with a password, then
whittle it down slowly until you passed all of the rules, usually making it
weaker in the process.

~~~
smsm42
They must have really dedicated customers. That, or their users are required
to use their system under the pain of multi-year imprisonment. I see no other
way why would anyone agree to suffer through this.

------
mtgx
You can't even delete your Skype account if you want to. You can only change
some of the information:

[https://support.skype.com/en/faq/FA142/can-i-delete-my-
skype...](https://support.skype.com/en/faq/FA142/can-i-delete-my-skype-
account)

~~~
celebdor
If you contact support you can set the account as deleted. So that screenname
becomes unavailable (or at least that is what they told me when I did it).

------
frontsideair
I think as a precaution, you can change your Gmail address, using the +
operator. In case you didn't know, you can receive emails sent to
yourusername+anystring@gmail.com

------
dchest
In August I received an email from Skype thanking me for registering an
account. But I already had an account, I didn't register this one. After
comparing the new account name with part of my email, I came to the conclusion
that someone mistyped their email address, and registered an account on my
address. I contacted their live support, here's the conversation:

    
    
        George A: Hello! Welcome to Skype Live Support! My name is George. How
        may I help you?
    
        me: Recently I have received an email welcoming me to Skype (not
        phishing, I verified). The problem is that I didn't create the account
        mentioned in the email. The account name was "[NEW SKYPE ACCOUNT]" and
        my email is [MY EMAIL 1], so I think that user mistyped his email
        address, and then Skype sent a welcome message to me. Doesn't skype
        verifies email addresses before sending a welcome message?
    
        George A: I understand that you are concerned about your email address
        being used to setup a Skype account, I'll be happy to help you with
        that.  May I please have your Skype Name?
    
        me: [MY SKYPE ACCOUNT]
    
        George A: I would also need the email address, please.
    
        me: [MY EMAIL 1]. let me check that this address in on my Skype
        account... ok, my email on file in Skype is [MY EMAIL 2].  and a few
        other too, all mine :)
    
        George A: Well, I see that there is only Skype Name registered under
        that email address, the Skype Name is [NEW SKYPE ACCOUNT]
    
        me: Yes, for my account ([MY SKYPE ACCOUNT]) the primary email is [MY
        EMAIL 2], but other emails on profile are [MY EMAIL 1], [MY EMAIL 2],
        [MY EMAIL 3].
    
        George A: May I please ask you to confirm which Skype Name that you do
        not authorize?
    
        me: Does Skype sends verification message before assigning the email
        to account? The Skype name which I didn't create is [NEW SKYPE
        ACCOUNT]
    
        George A: May I also have the email address that was used?
    
        me: [MY EMAIL 1]
    
        George A: Well, I would need to send you a confirmation to that email
        address. I would kindle need you to reply back to that email.
    
        me: Please do
    
        George A: Then, we will be able to delete that Skype Name for you.
    
        me: thank you
    
        George A: You are most welcomed, please expect me email within 10
        minutes.  Is there anything else I can help you with today?
    
        me: Could you tell me if email accounts that are registered with Skype
        are being verified by sending a message to them? If so, maybe there's
        bug in your system?
    
        George A: We send a welcome email to the registered email address
        whenever a new account is set up using that email.
    
        me: OK, that's what I received. And then you also send other emails
        with offers to the same account. So, basically, anyone can create an
        account for any email. Why don't you verify emails?
    
        George A: Please understand that all of us here at Skype take our
        customers' privacy and confidentiality very seriously
    
        me: OK. Thank you.
    
        George A: You are most welcomed. It's been a pleasure speaking with
        you today. Thank you for contacting Skype Live Support, have a great
        day. We value your feedback. Please be aware that we will ask you a
        few questions after closing the chat window about your experience with
        us today.  Once you are ready please click on the "Exit" button.
    
        me: I suggest adding a link to Welcome email that says "I didn't
        create this account". Bye!
    
    

Realizing that there's nothing this support person can do about this, I sent
email to their "security" people. I received no reply.

And now this failure to verify emails leads to the linked vulnerability. Nice.

~~~
grey-area
The same is, or was at least, true of xbox live - someone registered using my
email, and there's obviously no account confirmation, as the account is live
and I receive email notifications etc, but I can't get into it or remove it,
since I don't know the password. I wonder how many other sites do this to
avoid friction on sign up?

~~~
baggachipz
Happened to me too. I have no way to tell them that I am indeed _not_
xXx_Rastafarian_xXx .

~~~
re_todd
You're going to end up on some federal agency list for being a suspected
pothead ;)

~~~
drivebyacct2
Fortunately even our fear of drugs isn't that insane.

------
sondh
After successfully exploited this on my own account, tried again with my SO's
account and <https://login.skype.com/account/password-reset-request> has been
blocked. Pretty good emergency reaction.

It should be noted that after my account password is changed, I tried to login
with the old password, the Windows Skype app told me the username and password
combination is wrong but it still let me logged in. This may be a different
bug in caching?

Hope we can get a postmortem report out of this...

~~~
happyfreud
Apparently, <https://login.skype.com/account/password-automation> still works.

~~~
Smirnoff
It only works if the account had a credit card on file and/or made purchases
in the past. Unless you know the credit card number or the purchase ticket
number, this link isn't much help.

Can't believe Skype has been ignoring this issue up until in got to the top of
Hacker News and HabraHabr.

------
gingerlime
I think it's a good practice to always use unique, unpredictable email
addresses when signing for online services.

1\. Most people use the same or similar password, so once one account gets
hacked, the attacker is probably able to use many other accounts on different
services with the same email address/password combo.

2\. It's easier to spot services that spam, or that leak your email address (I
became aware of a leak of email addresses on Box... luckily it was only emails
that got leaked, at least according to Box support).

3\. It's easier to block spam, once a service misbehaves or gives away the
email.

I wrote a little more about using it as a "passwordless password manager" at
[http://blog.gingerlime.com/2011/passwordless-password-
manage...](http://blog.gingerlime.com/2011/passwordless-password-manager/)

update: (if blog post is too long...) this does not mean setting up hundreds
of different email accounts. On most services like hotmail, google and yahoo
you can simply append some unique string to your email address, e.g.
john+f820938422@gmail.com. Making this _unpredictable_ is important however,
so appending +facebook and +twitter is not helping much though...

~~~
reirob
Are you suggesting to have a different email address for every online service
we use? Today I manage about 100 different unique passwords for every online
service. This is already very inconvenient. Adding as well as having different
bogus email addresses would be at least 2 times more difficult!

I think something is really broken in today's web authentication scheme. I
think there is really huge need for some independent and reliable service
(Mozilla's Personas maybe).

~~~
wlll
I use unique and secure passwords for all online services,
<https://agilebits.com/onepassword> makes it really simple.

------
scrrr
And they said I'm crazy to create an extra email address just for Skype back
then..

------
jtraub
Password recovery form was disabled and as of now the vulnerability can not be
exploited. See announcement [http://community.skype.com/t5/Security-Privacy-
Trust-and/Pas...](http://community.skype.com/t5/Security-Privacy-Trust-
and/Password-vulnerability/m-p/1207232)

------
boingy
Not quite as bad but it is also possible to get a user's IP address just by
sending them a friend request. This has been known about and exploited for
months, possibly over a year. It's meant that high profile users of Skype on
sites like youtube or twitch.tv have to keep their skype private and/or
connect to it specifically with a proxy to avoid getting DDOSed

------
danso
Any idea the period of time this bug has been present? I remember the login
process being inconsistent (especially among the iOS apps) when I signed up
four years ago, but I attributed it to me just being unfamiliar with the
service.

~~~
lostlogin
Yes. Wow yes. The interface is getting better, but its still awful. At least
you can now return a missed call without going out the page, into contacts,
and hunting the caller down. The OSX client is a whole other world of pain.
FaceTime briefly looked like a promising replacement, but no.

------
davidwparker
I'm genuinely curious- what's keeping people on Skype? There are better
alternatives out there now (Google+ Hangouts, for example). Will this push any
of you Skype users over?

~~~
smsm42
Hangouts are very different use case from Skype. Skype is a messaging
platform, g-hangout is a teleconference platform. They have intersecting, but
not identical uses.

~~~
lotyrin
In my experience, the people that want me to use them have that exactly
backwards.

------
davedx
It looks like they've fixed it now. <https://twitter.com/Skype>

------
fromITroom
Forgot password no longer working, seems like they switched the function for
now. Step in right direction.

------
andybak
Didn't work for me on the Mac version of the Skype client. Will retry on Win7.

------
leke
Nice work MicroSoft.

