George A: Hello! Welcome to Skype Live Support! My name is George. How
may I help you?
me: Recently I have received an email welcoming me to Skype (not
phishing, I verified). The problem is that I didn't create the account
mentioned in the email. The account name was "[NEW SKYPE ACCOUNT]" and
my email is [MY EMAIL 1], so I think that user mistyped his email
address, and then Skype sent a welcome message to me. Doesn't skype
verifies email addresses before sending a welcome message?
George A: I understand that you are concerned about your email address
being used to setup a Skype account, I'll be happy to help you with
that. May I please have your Skype Name?
me: [MY SKYPE ACCOUNT]
George A: I would also need the email address, please.
me: [MY EMAIL 1]. let me check that this address in on my Skype
account... ok, my email on file in Skype is [MY EMAIL 2]. and a few
other too, all mine :)
George A: Well, I see that there is only Skype Name registered under
that email address, the Skype Name is [NEW SKYPE ACCOUNT]
me: Yes, for my account ([MY SKYPE ACCOUNT]) the primary email is [MY
EMAIL 2], but other emails on profile are [MY EMAIL 1], [MY EMAIL 2],
[MY EMAIL 3].
George A: May I please ask you to confirm which Skype Name that you do
me: Does Skype sends verification message before assigning the email
to account? The Skype name which I didn't create is [NEW SKYPE
George A: May I also have the email address that was used?
me: [MY EMAIL 1]
George A: Well, I would need to send you a confirmation to that email
address. I would kindle need you to reply back to that email.
me: Please do
George A: Then, we will be able to delete that Skype Name for you.
me: thank you
George A: You are most welcomed, please expect me email within 10
minutes. Is there anything else I can help you with today?
me: Could you tell me if email accounts that are registered with Skype
are being verified by sending a message to them? If so, maybe there's
bug in your system?
George A: We send a welcome email to the registered email address
whenever a new account is set up using that email.
me: OK, that's what I received. And then you also send other emails
with offers to the same account. So, basically, anyone can create an
account for any email. Why don't you verify emails?
George A: Please understand that all of us here at Skype take our
customers' privacy and confidentiality very seriously
me: OK. Thank you.
George A: You are most welcomed. It's been a pleasure speaking with
you today. Thank you for contacting Skype Live Support, have a great
day. We value your feedback. Please be aware that we will ask you a
few questions after closing the chat window about your experience with
us today. Once you are ready please click on the "Exit" button.
me: I suggest adding a link to Welcome email that says "I didn't
create this account". Bye!
And now this failure to verify emails leads to the linked vulnerability. Nice.
http://www.h-online.com/security/news/item/Skype-investigati... claims that I discovered today's vulnerability, but I didn't. I discovered, by accident, that Skype doesn't verify email addresses (in fact, they still don't, even after fixing vulnerability); I don't even think that I'm the first person to do it.
Edit: I also didn't write the linked blog post, it was someone else.
This attack it truly horrendous and its disclosure will most likely reverberate for a while.
What's interesting is after spending 30min or so clicking around Blizzard's site there is no way to actually contact support without having an account. You also can't claim the account, because you need a first and last name along with the email address, and I only have one of their names.
In the end I just left it, it was an old account and there is no evidence that they had real access, and as it was a legacy account I'd securified it anyway (creating a massive 32character random password and storing it in a password manager, just to close off any loose ends).