Hacker News new | comments | show | ask | jobs | submit login

In August I received an email from Skype thanking me for registering an account. But I already had an account, I didn't register this one. After comparing the new account name with part of my email, I came to the conclusion that someone mistyped their email address, and registered an account on my address. I contacted their live support, here's the conversation:

    George A: Hello! Welcome to Skype Live Support! My name is George. How
    may I help you?

    me: Recently I have received an email welcoming me to Skype (not
    phishing, I verified). The problem is that I didn't create the account
    mentioned in the email. The account name was "[NEW SKYPE ACCOUNT]" and
    my email is [MY EMAIL 1], so I think that user mistyped his email
    address, and then Skype sent a welcome message to me. Doesn't skype
    verifies email addresses before sending a welcome message?

    George A: I understand that you are concerned about your email address
    being used to setup a Skype account, I'll be happy to help you with
    that.  May I please have your Skype Name?

    me: [MY SKYPE ACCOUNT]

    George A: I would also need the email address, please.

    me: [MY EMAIL 1]. let me check that this address in on my Skype
    account... ok, my email on file in Skype is [MY EMAIL 2].  and a few
    other too, all mine :)

    George A: Well, I see that there is only Skype Name registered under
    that email address, the Skype Name is [NEW SKYPE ACCOUNT]

    me: Yes, for my account ([MY SKYPE ACCOUNT]) the primary email is [MY
    EMAIL 2], but other emails on profile are [MY EMAIL 1], [MY EMAIL 2],
    [MY EMAIL 3].

    George A: May I please ask you to confirm which Skype Name that you do
    not authorize?

    me: Does Skype sends verification message before assigning the email
    to account? The Skype name which I didn't create is [NEW SKYPE
    ACCOUNT]

    George A: May I also have the email address that was used?

    me: [MY EMAIL 1]

    George A: Well, I would need to send you a confirmation to that email
    address. I would kindle need you to reply back to that email.

    me: Please do

    George A: Then, we will be able to delete that Skype Name for you.

    me: thank you

    George A: You are most welcomed, please expect me email within 10
    minutes.  Is there anything else I can help you with today?

    me: Could you tell me if email accounts that are registered with Skype
    are being verified by sending a message to them? If so, maybe there's
    bug in your system?

    George A: We send a welcome email to the registered email address
    whenever a new account is set up using that email.

    me: OK, that's what I received. And then you also send other emails
    with offers to the same account. So, basically, anyone can create an
    account for any email. Why don't you verify emails?

    George A: Please understand that all of us here at Skype take our
    customers' privacy and confidentiality very seriously

    me: OK. Thank you.

    George A: You are most welcomed. It's been a pleasure speaking with
    you today. Thank you for contacting Skype Live Support, have a great
    day. We value your feedback. Please be aware that we will ask you a
    few questions after closing the chat window about your experience with
    us today.  Once you are ready please click on the "Exit" button.

    me: I suggest adding a link to Welcome email that says "I didn't
    create this account". Bye!

Realizing that there's nothing this support person can do about this, I sent email to their "security" people. I received no reply.

And now this failure to verify emails leads to the linked vulnerability. Nice.




For reporters: what I wrote about is a different issue from today's vulnerability! However, if Skype verified emails, as I suggested, today's hack wouldn't be possible. (At least, today, I don't know whether guys discovered vulnerability earlier than I wrote to Skype support).

http://www.h-online.com/security/news/item/Skype-investigati... claims that I discovered today's vulnerability, but I didn't. I discovered, by accident, that Skype doesn't verify email addresses (in fact, they still don't, even after fixing vulnerability); I don't even think that I'm the first person to do it.

Edit: I also didn't write the linked blog post, it was someone else.


The same is, or was at least, true of xbox live - someone registered using my email, and there's obviously no account confirmation, as the account is live and I receive email notifications etc, but I can't get into it or remove it, since I don't know the password. I wonder how many other sites do this to avoid friction on sign up?


Happened to me too. I have no way to tell them that I am indeed not xXx_Rastafarian_xXx .


You're going to end up on some federal agency list for being a suspected pothead ;)


Fortunately even our fear of drugs isn't that insane.


sony network is the same. i have a throwaway gmail address which was used to sign up for the sony network an various games. at first i replied to any email that i didn't sign up for this, then i contacted sony network customer service, they said something marketing, i decided to not care. now every email from sony gets a direct way to the spam folder.


While I admit it's stupid they don't verify new user's email addresses, it doesn't look like doing so would even prevent this recent attack. If I understand the attack correctly, the only way to prevent your account being taken is to change you email address to something unknown. In effect using the uniqueness of your email address as a 2nd password.

This attack it truly horrendous and its disclosure will most likely reverberate for a while.


The first step of this attack is to create another account for the email address controlled by a victim. If Skype sent verification email to this address asking the victim to click a link to confirm creation of the new account, this first step wouldn't work.


Turing test failure, or highly trained human? I'm not sure.


Encountering tech support people that would fail a Turing test is not nearly as rare as one would want it to be.


I suspect the support person may have been partly typing his responses and partly pasting prefab support snippets. Not sure though.


Incidentally, I've had someone (judging from the last name I get to see in the email, a Chinese person) use one of my email addresses to register a WoW account. You don't actually need to verify the email address, so they don't need access.

What's interesting is after spending 30min or so clicking around Blizzard's site there is no way to actually contact support without having an account. You also can't claim the account, because you need a first and last name along with the email address, and I only have one of their names.

In the end I just left it, it was an old account and there is no evidence that they had real access, and as it was a legacy account I'd securified it anyway (creating a massive 32character random password and storing it in a password manager, just to close off any loose ends).


As usual, making this public and widely broadcasted will probably encourage them to finally listen to you :)


Netflix has a similar problem - http://blog.hardikr.com/tech/netflix-email-fail/




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: