In August I received an email from Skype thanking me for registering an account. But I already had an account, I didn't register this one. After comparing the new account name with part of my email, I came to the conclusion that someone mistyped their email address, and registered an account on my address. I contacted their live support, here's the conversation:
George A: Hello! Welcome to Skype Live Support! My name is George. How
may I help you?
me: Recently I have received an email welcoming me to Skype (not
phishing, I verified). The problem is that I didn't create the account
mentioned in the email. The account name was "[NEW SKYPE ACCOUNT]" and
my email is [MY EMAIL 1], so I think that user mistyped his email
address, and then Skype sent a welcome message to me. Doesn't skype
verifies email addresses before sending a welcome message?
George A: I understand that you are concerned about your email address
being used to setup a Skype account, I'll be happy to help you with
that. May I please have your Skype Name?
me: [MY SKYPE ACCOUNT]
George A: I would also need the email address, please.
me: [MY EMAIL 1]. let me check that this address in on my Skype
account... ok, my email on file in Skype is [MY EMAIL 2]. and a few
other too, all mine :)
George A: Well, I see that there is only Skype Name registered under
that email address, the Skype Name is [NEW SKYPE ACCOUNT]
me: Yes, for my account ([MY SKYPE ACCOUNT]) the primary email is [MY
EMAIL 2], but other emails on profile are [MY EMAIL 1], [MY EMAIL 2],
[MY EMAIL 3].
George A: May I please ask you to confirm which Skype Name that you do
me: Does Skype sends verification message before assigning the email
to account? The Skype name which I didn't create is [NEW SKYPE
George A: May I also have the email address that was used?
me: [MY EMAIL 1]
George A: Well, I would need to send you a confirmation to that email
address. I would kindle need you to reply back to that email.
me: Please do
George A: Then, we will be able to delete that Skype Name for you.
me: thank you
George A: You are most welcomed, please expect me email within 10
minutes. Is there anything else I can help you with today?
me: Could you tell me if email accounts that are registered with Skype
are being verified by sending a message to them? If so, maybe there's
bug in your system?
George A: We send a welcome email to the registered email address
whenever a new account is set up using that email.
me: OK, that's what I received. And then you also send other emails
with offers to the same account. So, basically, anyone can create an
account for any email. Why don't you verify emails?
George A: Please understand that all of us here at Skype take our
customers' privacy and confidentiality very seriously
me: OK. Thank you.
George A: You are most welcomed. It's been a pleasure speaking with
you today. Thank you for contacting Skype Live Support, have a great
day. We value your feedback. Please be aware that we will ask you a
few questions after closing the chat window about your experience with
us today. Once you are ready please click on the "Exit" button.
me: I suggest adding a link to Welcome email that says "I didn't
create this account". Bye!
Realizing that there's nothing this support person can do about this, I sent email to their "security" people. I received no reply.
And now this failure to verify emails leads to the linked vulnerability. Nice.
For reporters: what I wrote about is a different issue from today's vulnerability! However, if Skype verified emails, as I suggested, today's hack wouldn't be possible. (At least, today, I don't know whether guys discovered vulnerability earlier than I wrote to Skype support).
While I admit it's stupid they don't verify new user's email addresses, it doesn't look like doing so would even prevent this recent attack. If I understand the attack correctly, the only way to prevent your account being taken is to change you email address to something unknown. In effect using the uniqueness of your email address as a 2nd password.
This attack it truly horrendous and its disclosure will most likely reverberate for a while.
The first step of this attack is to create another account for the email address controlled by a victim. If Skype sent verification email to this address asking the victim to click a link to confirm creation of the new account, this first step wouldn't work.
The same is, or was at least, true of xbox live - someone registered using my email, and there's obviously no account confirmation, as the account is live and I receive email notifications etc, but I can't get into it or remove it, since I don't know the password. I wonder how many other sites do this to avoid friction on sign up?
sony network is the same. i have a throwaway gmail address which was used to sign up for the sony network an various games. at first i replied to any email that i didn't sign up for this, then i contacted sony network customer service, they said something marketing, i decided to not care. now every email from sony gets a direct way to the spam folder.
Incidentally, I've had someone (judging from the last name I get to see in the email, a Chinese person) use one of my email addresses to register a WoW account. You don't actually need to verify the email address, so they don't need access.
What's interesting is after spending 30min or so clicking around Blizzard's site there is no way to actually contact support without having an account. You also can't claim the account, because you need a first and last name along with the email address, and I only have one of their names.
In the end I just left it, it was an old account and there is no evidence that they had real access, and as it was a legacy account I'd securified it anyway (creating a massive 32character random password and storing it in a password manager, just to close off any loose ends).
We have had reports of a new security vulnerability issue. As a precautionary
step we have temporarily disabled password reset as we continue to investigate
the issue further. We apologize for the inconvenience but user experience and
safety is our first priority
Yeah, at my last job, someone implemented a password strength checking feature that would actually reject stronger passwords. It required:
1. At least 3 out of the 4 categories uppercase, lowercase, digit, special character
2. No character could be repeated more than two times
3. No sequence of 3 or more increasing or decreasing letters or numbers could be present (and not even consecutive: "ta/Tbs#cz" would be rejected because it contains "abc").
4. No English words or names could be present.
5. It must be at least 8 characters
There may have been other restrictions too, I don't recall the exact details.
This meant that perfectly reasonable passphrases (like "correct horse battery staple") would be rejected. Even if you tried to come up with a good password that met the rule, you might fail by accident because "89cRbcThe*)" has the word "The" in it. You would generally have to come up with a password, then whittle it down slowly until you passed all of the rules, usually making it weaker in the process.
They must have really dedicated customers. That, or their users are required to use their system under the pain of multi-year imprisonment. I see no other way why would anyone agree to suffer through this.
It's even worse! Their website is so broken you can't change your password (new password fields are disabled) and you can't set a new email address as primary (the "make primary" button only appears when the new email address field is empty). Also, if you first add a new email address, save, then set it to primary, it disappears. Wtf.
I see no recourse other than closing my account, if that's still possible.  No, not even that is possible.
After adding the email address and clicking save, logging out, and logging in, I found the email address was successfully added. At this point I could change it to the primary one, click save, paste my password, and click the button on the password prompt to successfully change my primary email address. If I tried to add the email and make it primary in one session, it would not work. If I entered my password and hit enter, it would not work.
The site is very buggy indeed. But it is possible to change the primary email adress if, when you are prompted to retype your password, you "type password and click button by mouse, not by "Enter" key" (as the post says). Maybe that would work for you...
Well, they've certainly cleaned up their act, but I definitely wouldn't say that they're known to be among the best in the industry.. I remember just a few year ago, you could get to ring0 in Windows and install a rootkit just via the registry.. Let's not forget all the hotmail vulnerabilities similar to this that have been active for an indeterminate amount of time..
No they don't. They have a reputation for taking months to respond to security issues, responding with "yeah whatever, we'll look into it" and then doing nothing for months, leaving software vulnerable to known exploits because "its not patch day yet", and similar bullshit.
It's not a client-side fix. Just stop the server from sending the token/link to the clients. Sure, that might degrade the client experience a bit(assuming that the client isn't just displaying a webview in which case no degradation would occur) but it would fix the problem for now.
Later on you can take your time rolling out a client fix if it's required, but a hotfix server-side is entirely possible, there's no excuse keeping this vulnerability possible when it's been made this public(step by step instructions to hack someone's account, with screenshots!) especially since you were contacted privately about it ~3 months ago.
You don't push the fix to the client. They have some notification system ou there that is sending the messages to the client. They just need to stop it from sending these kind of messages. Obviously I can't say how much work is involved in that - but they don't need to push an updated client.
Early this morning we were notified of user concerns surrounding the security
of the password reset feature on our website. This issue affected some users
where multiple Skype accounts were registered to the same email address. We
suspended the password reset feature temporarily this morning as a precaution
and have made updates to the password reset process today so that it is now
working properly. We are reaching out to a small number of users who may
have been impacted to assist as necessary. Skype is committed to providing a
safe and secure communications experience to our users and we apologize
for the inconvenience.
Good to hear they fixed it but it was responsibly disclosed a month ago and Skype did nothing whatsoever. We really need a better way to hold a company accountable for appropriately reacting to proven security threats without requiring a public disclosure.
It should be noted that after my account password is changed, I tried to login with the old password, the Windows Skype app told me the username and password combination is wrong but it still let me logged in. This may be a different bug in caching?
Hope we can get a postmortem report out of this...
The notification about the password reset token does appear in the Skype client, but no reset code is shown at first. Then I've pressed Ctrl+F5 on the home screen, skipped the Facebook thing, and here they are!
I think it's a good practice to always use unique, unpredictable email addresses when signing for online services.
1. Most people use the same or similar password, so once one account gets hacked, the attacker is probably able to use many other accounts on different services with the same email address/password combo.
2. It's easier to spot services that spam, or that leak your email address (I became aware of a leak of email addresses on Box... luckily it was only emails that got leaked, at least according to Box support).
3. It's easier to block spam, once a service misbehaves or gives away the email.
update: (if blog post is too long...) this does not mean setting up hundreds of different email accounts. On most services like hotmail, google and yahoo you can simply append some unique string to your email address, e.g. firstname.lastname@example.org. Making this unpredictable is important however, so appending +facebook and +twitter is not helping much though...
Are you suggesting to have a different email address for every online service we use? Today I manage about 100 different unique passwords for every online service. This is already very inconvenient. Adding as well as having different bogus email addresses would be at least 2 times more difficult!
I think something is really broken in today's web authentication scheme. I think there is really huge need for some independent and reliable service (Mozilla's Personas maybe).
While I don't necessarily agree with your parent's post, there's a relatively simple solution here. If you're using gmail, you can use the + operator to automatically tag emails. Here, it serves an alternative purpose.
For example, if my email is email@example.com, then I would use firstname.lastname@example.org when signing up for Hacker News.
Skipping over the fact that most email providers don't necessarily support this, and that not all websites/services will allow it (not saying they are right not to), this creates a whole new set of things to remember as even something as simple as +hn (which is surely simple enough that anyone could guess it) could be tougher on other sites, e.g. is Reddit +rd, +re, or...?
To carry this idea further, the +descriptor email trick has backfired on me before. Sometimes sites require an email login and it takes me several tries to even remember what my +descriptor was.
Sometimes, I don't actually remember and just end up going to my inbox to find an email from the site so I can look up what I used.
Another time, this backfired on me when I purchased concert tickets using a +descriptor email and couldn't login. The purchase form and login form had different validation rules, so the purchase form accepted my +descriptor email and charged me for it. The login form rejected my +descriptor email and I was rushing to contact customer service to print my ticket in time.
I do it, and have done it for a pretty long time. In the vast majority of cases, it's (almost) in the form of email@example.com - which is usually pretty easy to remember.
If someone was directly targeting me, and had my email address from another site, they could probably figure out what I'd used elsewhere. But if it's just a script running through email addresses harvested from site A, then mine will almost always be irrelevant on site B.
The main reason I use it though is that it's a great way to figure out where spam is coming from. Last week for instance I got a "male enhancement" spam from an email address I've only ever given to scan.co.uk. That addres is now on my block list and I doubt I'll be buying through them again.
Sadly this is at best a complicated workaround, that will will work for people that are motivated enough to remember for each different service a separate email and password and additionally to this you have to remember as well the credentials to manage your email address and check the emails from different sites.
In my case it would mean having about 100 email addresses.
You actually don't need separate emails for this. You can use (firstname.lastname@example.org, Gmail supports it and others too I'm sure). Or you can use your own domain (Google Apps makes this really trivial) and have the part before @ be the sitename (that's what OP suggests) and then have catch-all address. You might receive slightly more spam if you turn on catch-all, but I have a setup like this a it works.
http://www.keepassx.org/ is a free and open-source password manager. It makes using almost infinite numbers of accounts easy to use. If you use secure passwords they are like not possible to remember anyways.
I think it's possible to flip the order. Instead of managing 100 passwords for each account, manage 100 emails and ONE password for all accounts. Make sure your password is really strong, and you should be better-off than managing those 100 passwords, which require a secure password manager.
Of course it's better to have a real password manager, but for most people, who don't or can't be bothered setting this up, this would be a huge step forward since they anyway use the same email and the same password everywhere.
did you actually read what I was saying on the blog post or the comment??
Most people re-use not only the password, but also their email. This is the worst combination.
If you use an unpredictable, unique email address, and use a secure password. Even if it leaks on one site, the attacker has no easy way to predict what your email address is going to be on any other site without having access to the list of email addresses.
Yeah, you could do that as well. I just don't like the idea that someone holds my email address. After reading few stories where Google/Microsoft blocks access to email, I decided to move my email to custom domain. In case of any issues all I have to do is change MX names to new provider to start receiving my mails again.
Yes, but one of the great things about having GApps with your own domain name, is that you are not tied to Google as an email provider, and can easily switch. If you use something like the '+' modifier, then if you switch away you need to switch to someone that supports the same modifier.
So if your goal is to maintain email-provider independence, then relying on provider-specific features like the '+' modifier works against that goal.
For me though, the main reason I don't use it is most sites that I want to use it on reject the '+' in the address as invalid. It happens enough that I don't bother trying anymore.
The problem I was trying to solve is of many people who use the same password and email everywhere, and who won't use a password manager or feel it's too complicated to install or use etc.
The email addresses are not as sensitive as passwords. Sure. If someone gets hold of all of them AND your master password you're in trouble. But same goes to getting your password manager file and the password for it.
The difference is you don't need a password manager software. You can store this list anywhere which is reasonably safe.
It is only easier in the sense of not having to install or use a password manager, and that the email addresses themselves are not as sensitive as the password.
As with everything security related, there is a trade-off. I'm not saying it's more secure, but it can be more convenient in certain circumstances and for certain people.
A password-manager is more secure (if the master password is and the manager software is safe). A unique email address + unique password with a password manager even more so. two-factor authentication even more... and so on...
It's just a question of options/priorities. This is still a valid option in my opinion which might work well for some people who don't want / can't use a password manager, but can handle a list of random email addresses...
what I do is intersperse the site name with my username at my domain e.g. for skype:
then I have a catch-all on the domain, and lower the priority of emails that aren't to my normal address, but any important emails get their own forwarder to forward into my main inbox, so I will get the emails on my mobile devices.
Tons of folks (think: grandmothers and parents and other potentially non-tech-savvy folks) have been using Skype to communicate with family members across the globe for many years. Simply expecting them to switch to Google Hangouts is a tall order.
Well, I'm not a big fan of Skype but I tend to use it for longer calls with family overseas (US<->Europe) because I experience quite significantly better video/audio quality. Few months back (it's fixed now I think) I even had freezing video every so often on Google Hangout.
Or screen sharing, it was completely unusable in Google Hangouts on Linux just 2 months back whereas Skype didn't have any issue and worked (surprisingly!) flawlessly.
I don't really perceive the network effect that much, everybody I have on Skype also has a Google account.
Because Skype always works. For example, most ISP in Russia still allow access to provider's network ever if internet connection is unpaid. Skype works, because somebody with internet who paid for it is gate for all unpaid users.
Skype traffic is almost impossible to block except some hacks about detecting his autoupdate.
Works usually yes, but that isn't all a good service needs. I'd like to enjoy using it rather than getting Skype-rage. Interface, inability to block calls (from iOS at least), I'd better not start or I won't stop.
Because I don't want to sign up for Google+. I dislike the idea of bundling their social data mining solution with just about anything, like a less obvious and impossible to opt-out version of whatever-toolbar bundled with software years ago.