Hacker Newsnew | comments | show | ask | jobs | submit login

While I admit it's stupid they don't verify new user's email addresses, it doesn't look like doing so would even prevent this recent attack. If I understand the attack correctly, the only way to prevent your account being taken is to change you email address to something unknown. In effect using the uniqueness of your email address as a 2nd password.

This attack it truly horrendous and its disclosure will most likely reverberate for a while.




The first step of this attack is to create another account for the email address controlled by a victim. If Skype sent verification email to this address asking the victim to click a link to confirm creation of the new account, this first step wouldn't work.

-----




Applications are open for YC Winter 2016

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: