Hacker News new | comments | show | ask | jobs | submit login

OP at http://habrahabr.ru/post/158545/ (russian) says that he reported this vulnerability about 3 month ago. The lack of any reaction is unbelievable.

Hint: you can change your email to something like user+skype@gmail.com to avoid registration of new email address.

Even now Skype reaction is unbelievable. They are "investigating the issue" for almost 2 hours.

Stop saying "Skype", use "Microsoft" instead, and it's not unbelievable at all.

Except that Microsoft has a pretty stellar reputation when it comes to security procedures. They're well known as being among the best in the industry.

Well, they've certainly cleaned up their act, but I definitely wouldn't say that they're known to be among the best in the industry.. I remember just a few year ago, you could get to ring0 in Windows and install a rootkit just via the registry.. Let's not forget all the hotmail vulnerabilities similar to this that have been active for an indeterminate amount of time..

A few years is an enormous period of time especially when it comes to tech and infosec.

No they don't. They have a reputation for taking months to respond to security issues, responding with "yeah whatever, we'll look into it" and then doing nothing for months, leaving software vulnerable to known exploits because "its not patch day yet", and similar bullshit.

Given what I've heard of Skype-as-Microsof-Skype, it would be inaccurate to act like Skype has been assimilated or would have much if any overlap with the people handling Windows vulnerabilities.

Damn, it takes 2 minutes to "investigate the issue" if you simply follow the steps.

But probably a little longer to find a fix, test it and release it...

Not really, no. Just stop the reset token from appearing in the client. Just send it by email like you're supposed to and that's it, vulnerability gone.

Yeah, but pushing a client fix takes time. They'll need an excuse in the meantime.

It's not a client-side fix. Just stop the server from sending the token/link to the clients. Sure, that might degrade the client experience a bit(assuming that the client isn't just displaying a webview in which case no degradation would occur) but it would fix the problem for now.

Later on you can take your time rolling out a client fix if it's required, but a hotfix server-side is entirely possible, there's no excuse keeping this vulnerability possible when it's been made this public(step by step instructions to hack someone's account, with screenshots!) especially since you were contacted privately about it ~3 months ago.

Right. There's one developer at Skype who can just do that and push it to production, without talking to anyone else, or getting approval from anyone else.

Be realistic. If two people need to talk about it, it's going to take longer than 2 minutes.

Longer than two minutes, definitely! More than 2 hours to investigate and fix? very doubtful. 3 months? That's a bit much...

I see your not familiar with the nature of code deployments and everything that has to happen beforehand. ;)

The two hours were most likely spent on office politics as opposed to fixing the problem. I'm surprised it wasn't > 5 hours to be honest.

Given your description I'm sure I'm lucky I'm not familiar with that. I've never worked at any place that has > 40 employees. If I can manage, I hope never to have to.

Yeah, there's no doubt it sucks but so can working for smaller organisations. It's all about the people your working with. The bigger the company, the more deadwood you likely have to work with.

You don't push the fix to the client. They have some notification system ou there that is sending the messages to the client. They just need to stop it from sending these kind of messages. Obviously I can't say how much work is involved in that - but they don't need to push an updated client.

I think they can just temporarily turn off password reset to prevent account stealing. After that they can take their time to fix the problem, test it and roll out to the public.

Block password reset. It is as simple as that.

They have just done that.

yes, better to keep 0day working, and roll out fixes with the next release.

something like +fi92is82ls8223 is probably better, i.e. something not predictable / guessable.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact