Skype Disables Password Resets After Huge Security Hole Discovered

another random user writes with news of a vulnerability in the Skype password reset tool "All you need to do is register a new account using that email address, and even though that address is already used (and the registration process does tell you this) you can still complete the new account process and then sign in using that account Info (original post in Russian)" concealment adds a link to another article with an update that Skype disabled the password reset page as a temporary fix.

Phew

[GameboyRMH]

I could have been easily hit by that one...

Re:Phew

[mr1911]

I could have been easily hit by that one...

Think you weren't? I've been dialing your contacts all morning while dressed appropriately for chatroulette. Your grandma did not look happy, but your wife stayed connected for 45 minutes...

Re:Phew

[GameboyRMH]

Of course I already checked that I had access, you can't steal an account this way without changing the password which would lock me out. And you incorrectly assumed that I have a wife ;-)

Oh, no!

Now my identity will be stolen!

Re:Oh, no!

It already has been. Anonymous Cowards are everywhere! We are Legion!

there are security exploits

[circletimessquare]

then there are epic lulz

Re:Defective Microsoft

[Chrisq]

Which part of "Microsoft Product" did you not understand?

I almost feel sorry for them discovering this just after they discontinued Microsoft Messenger and moved people on to Skype. To be fair I expect this hole existed when they brought Skype.

Re:Defective Microsoft

I'd ask for a refund!

Re:Defective Microsoft

Bought*

I wish people would get this mix up of words right. It's like when someone says "me either" in response to something like "I dont like that":

- I don't like bees
- Nah, me either, i hate them.

It's neither dammit!!

Re:Defective Microsoft

[cp.tar]

I almost feel sorry for them discovering this just after they discontinued Microsoft Messenger and moved people on to Skype. To be fair I expect this hole existed when they brought Skype.

I’m not so sure about that, y’know. It would likely have been discovered by now.
I expect it’s a side effect of the migration of MSN users to Skype as it likely requires changes to both Skype and its backend.

Re:Defective Microsoft

Your to fussy. I could care less.

Skype...

...take a deep breath, then get ready to rant!

Security is for pussies...!

Re:Defective Microsoft

[junk]

I almost feel sorry for them discovering this just after they discontinued Microsoft Messenger and moved people on to Skype. To be fair I expect this hole existed when they brought Skype.

I’m not so sure about that, y’know. It would likely have been discovered by now.

I expect it’s a side effect of the migration of MSN users to Skype as it likely requires changes to both Skype and its backend.

It's not new. I have an email address that people assume doesn't exist and rt they sign up for things all the time. About two years ago, I received a password reset mail from Skype. When I went to reset it (as I do with every random account people sign up for with my email), they gave me the option to reset about a half dozen accounts. I now maintain a list of burner Skype accounts that had previously used my address.

Fun fact: you are limited to 4 successful resets, per email address, per day.

Re:Defective Microsoft

[yahwotqa]

Guys, loose this off-topic subthread already.

HurrDurr 101?

[SuperCharlie]

If I understand this "security hole" correctly.. and they have already popped the data to let you know the email is taken.. isn't it pretty much close to nobrainer not to go ahead with that insert query? I may be a simple caveman.. but cmon.. even in my worst spaghetti code this is solidly on the durr side of Hurr-Durrrr

Re:HurrDurr 101?

Why have a unique key on email field when not having it makes the checks so much "better"? :)

The bottom line is that insert query should not be possible to work.

Re:HurrDurr 101?

[Ksevio]

That part actually makes sense. Skype allows you have have multiple accounts tied to the same email (some people might use that to separate contacts but maintain the same email). To make it easy to use, you don't have to verify the email belongs to you, but email is really only for password resets so it's not a big deal if you put a bogus email in.

Now if you were just signed up with some random guy's email, it wouldn't be such a big deal, but the BIG security issue here is that for whatever reason Skype will send the password reset message to the random guy's email AND any Skype client associated with the email, and then almost worse, let you pick which account on the email to reset.

If the password reset message was just sent to the email, it would be fine, but sending it to an account that doesn't have a verified email is an issue.

Re:HurrDurr 101?

This is just another thing on the list of reasons why people shouldn't use/trust Skype. I honestly can't imagine doing business with companies that don't even do the simplest form of user verification. How hard is it to send an email verification link when you sign up for an account?

Hint: Not hard at all.

I f'ing hate Skype.

Re:HurrDurr 101?

Hey! Dontcha diss MS's business sense.

As ads are Skype's major monetization part now, you really don't want to hinder blowing up the user base numbers^W^W^W^W^W^Wcreate unnecessary barriers for valuable new users.

Re:HurrDurr 101?

[rhizome]

I'm not sure I understand this.

So, it appears that Friendster still exists, and that it's quite popular in Southeast Asia. I have a domain that is apparently a natural one to use by teenage girls in Indonesia when creating their Friendster accounts. I have received many, many notification emails associated with these accounts, after which I request a password reset, receive the email, then log in and lock the account down, typically with a "HURR DURR I DON'T KNOW WHAT EMAIL IS" type status message. Is this a security issue of Friendster's, or a natural consequence of using another person's email address?

Of course, I've thought many times that Friendster is lame-o for not verifying email addresses, but I figure it's an indication that their business is so unsuccessful that they need all the users they can get, even if they have to use a "Reddit Alias" style account creation strategy.

Re:HurrDurr 101?

[amicusNYCL]

That part actually makes sense. Skype allows you have have multiple accounts tied to the same email (some people might use that to separate contacts but maintain the same email). To make it easy to use, you don't have to verify the email belongs to you, but email is really only for password resets so it's not a big deal if you put a bogus email in.

How about this for a simple fix to still allow this multi-account feature: people can create as many accounts as they want to with the same email address, but in order to do that they need to be logged in to one of their existing accounts. You don't get to just sign up with a new account anonymously and use whatever email address is already linked to an account.

Re:HurrDurr 101?

[Qzukk]

Why have a unique key on email field when not having it makes the checks so much "better"? :)

A unique key for emails like 'AnonymousCoward@example.org', 'ANONYMOUSCOWARD@EXAMPLE.ORG', 'aNoNyMoUsCoWaRd@eXaMpLe.OrG'?

Mayhaps you mean a unique key on upper(email field).

I don't entirely buy this...

[dalias]

I have multiple skype accounts created on the same email address (for different people, however) and it does not allow one to login as the other. It's possible to password-reset any of them independently.

Re:I don't entirely buy this...

If dalias is correct in saying that the accounts using the same email address are independent, and that it follows that an account cannot be hijacked, then all that's really happening is a new account is created with an incorrect email address. The failure in this case would be in accepting this submission to slashdot.

Re:I don't entirely buy this...

[SpzToid]

Statistically speaking, you seem correct. Consider the brute-force possibilities of all those many millions of Skype users, some with dubious motivations, and how many of them must have tried this at least once and paid attention?

Or, maybe they did, and just kept quiet about it?

And profited?

Think about the billions.

Skype was never exactly motivated to further innovate, or engineer to a higher level; possibly with security enhancements. Skype has always been about the numbers. The numbers also indicate someone would have brute-forced them by now though, if this minor-hack is true.

Re:I don't entirely buy this...

You miss the point completely.

It's password reset token notification with link (like this) that appeared in Skype clients of anyone who has this email set as primary. When you click that link it led to password reset page with a dropdown box listing all accounts registered with this email and "reset password" button.

The problem is that they don't require verification when setting a primary email.

Re:I don't entirely buy this...

The failure in your case is your post.

Here's how it works:

1. Sign up for a new Skype account. Use the victim's email. A warning will come up that an account with that email already exists, but you can still proceed with filling out the form and account creation.
2. Log in to the Skype client with your new account.
3. https://login.skype.com/account/password-reset-request - request a password reset using the victim's email.
4. You will get a password reset notification and token in your skype client. Follow the link to pick the victim's account and reset the password.

It appears the only way to safeguard yourself for now is to change your main Skype account email to one that's not publicly known.

Re:Defective Microsoft

LOL!

Unfortunately, it's an AMERICAN thing.

Just like the idiots who keep saying 'more THAT' or 'MORE then', instead of 'more THAN'.

How can anybody not know the difference between those three words? Obviously they don't read any printed media, just trash off the internet.

Re:Defective Microsoft

[Kiuas]

To be fair I expect this hole existed when they brought Skype

That doesn't seem likely. In fact, I think this is a side effect of Microsoft preparing to integrate the 100 million msn messenger users into Skype. Somebody has been trying to ensure that the accounts will overlap nicely and has obviously made a huge mistake which allows this to happen.

Don't they test anything?

[mschaffer]

What kind of QA system do they have in place at Skype---or maybe they should start one?

Re:Don't they test anything?

[pixelpusher220]

Well they have a QA system, but they forgot the password, and right now the password reset functionality is disabled.

I'm sure they'll get back to it soon though!

Re:Defective Microsoft

Cry more.

Re:Defective Microsoft

[kelemvor4]

Bought*

I wish people would get this mix up of words right. It's like when someone says "me either" in response to something like "I dont like that":

- I don't like bees - Nah, me either, i hate them.

It's neither dammit!!

It's damn it...

Xbox Live

[asavage]

Microsoft also has issues with Xbox Live although not close to as bad. Some guy when he bought Xbox Live Gold accidentally entered my email address which has linked his 5 year account to my email. Last weekend I bought a game on steam which requires Games for Windows Marketplace. Since I had to have an account to play the game I entered my email and it said I already had an account so I did a password reset. This other guy has now lost his Xbox Live Gold account with 7 months left already paid for and support doesn't seem to know how to fix it. Also I now have a stupid gamertag which apparently I can't change without an Xbox.

This doesn't compare to the skype hole but there should be no way to link an account to an unverified email address.

Re:Xbox Live

[s0nicfreak]

Uh, you do know you could just change the email associated with the account ( https://commerce.microsoft.com/PaymentHub/Profile ) for the guy, then give him that account and set up a new one with your email address, right?

Re:Xbox Live

[wiredlogic]

Someone signed up for a facebook account with my e-mail address. I let it go for a year or so but then the FB spam became too annoying so I reset the password and deactivated his account for him.

Re:Xbox Live

[theArtificial]

+1 for nice guys.

Re:Xbox Live

How is he going to give the new account to the guy? Maybe sending a message to his friends in hopes that one knows him beyond XBL.

Re:Xbox Live

[asavage]

I can't do that as I lose access the game I just bought.

Re:Xbox Live

[s0nicfreak]

At the very least offer it back in exchange for another copy of the game.

Re:Xbox Live

[s0nicfreak]

Well i would imagine the guy is freaking out and messaging him asking for his account back. But if not he could google the Gamertag, the guy probably posted it on a forum or something which will allow for finding some form of contact.

Re:Defective Microsoft

Guys, loose this off-topic subthread all ready.

FTFY. Jeeze.

Re:Defective Microsoft

LOL!

Unfortunately, it's an AMERICAN thing.

Just like the idiots who keep saying 'more THAT' or 'MORE then', instead of 'more THAN'.

How can anybody not know the difference between those three words? Obviously they don't read any printed media, just trash off the internet.

Or people who say "this person that I just met". It's "who", or if you really understand grammar then it's "whom". "That" doesn't work unless you just "met" an inanimate object.

Re:Defective Microsoft

Guys, loose this off-topic subthread all ready.

FTFY. Jeeze.

FTF*Y*

Guys, *lose* this off-topic subthread *already*.

Christ!

SKYPEFALL

That is all.

A *little* more information would have been nice..

[wonkey_monkey]

As minimal summaries go this one will take some beating.

"All you need to do is register a new account using that email address

Wait, which email address? (the person whose account who want to gain access to, says the article)

and even though that address is already used (and the registration process does tell you this) you can still complete the new account process and then sign in using that account Info (original post in Russian)"

Right, and then what? You seem to have missed the entire rest of the process where you actually carry out the password reset trick. Make me read the bloody article indeed...

The reason this works is simple, but it’s still worrying. When you use an existing email address to sign up with Skype again, the service emails you a reminder of your username, which is okay, since no one else should have access to your email. Unfortunately, because this method enables you to get a password reset token sent to the Skype app itself, this allows a third party to redeem it and claim ownership of your original username and thus account.

Or something like that.

Re:Defective Microsoft

[helix2301]

Microsoft buying anything paints a target on it plus there is defiantly popularity and market value compared to other messengers so bound to have people hunting for security flaws. The just had another big security flaw discovered back in July http://yro.slashdot.org/story/12/07/16/175247/skype-bug-sends-messages-to-random-contacts bug agin you can't blame Microsoft they bought with this issue now they just need to fix it. This one is far worse then Skype Bug Sends Messages To Random Contacts.

Re:A *little* more information would have been nic

[hobarrera]

RTFA! It's all clearly explained there!

Re:Defective Microsoft

*WHOOSH*

Re:Defective Microsoft

[NotBorg]

Oh come on now. I thought it worked just fine.

MS Exec: Should we get Skype?
Dylan Hunt: Lets bring it!
MS Exec: Pwnt!

Re:Defective Microsoft

I'm particularly disturbed at how pervasive the use of "axe" in place of "ask" has become in this country. People who use "axe" for "ask" will be the first up against the wall when *my* revolution comes.

Re:Defective Microsoft

[amicusNYCL]

I have an email address that people assume doesn't exist

With a username like "junk"? Inconceivable! There's someone out there who's actually checking junk@junk.com?

Re:Defective Microsoft

Not sure if we got one to bite, or if it's very,very clever...

Re:Defective Microsoft

[K.+S.+Kyosuke]

if you really understand grammar

I don't think you can "understand" grammar (*) any more than you can "understand" vocabulary, as in why the sequence D-O-G represents a cute fluffy animal that barks and the sequence C-A-T represents a cute fluffy animal that meows. Grammar simply IS what it is, and sometimes it changes to something else, just like vocabulary. Wait a century and watch "whom" sink into oblivion.

(*) Unless, of course, we're talking about Universal Grammar.

Re:Defective Microsoft

[Zemran]

It is basically the difference between knowing their shit and knowing they're shit.

Billing issues

[xanadu113]

Skype has also been plagued with billing issues. I had a subscription years ago, that bank card is now expired. I cancelled the subscription, years ago.. as soon as Microsoft bought Skype, I started getting emails saying my card was declined, with no recourse, no way to cancel the subscription they tried to start up on me again...

Re:Defective Microsoft

[Zemran]

If you are god@heaven.com, then it is my spam you get :-P

Re:Defective Microsoft

[mcgrew]

Too late, it's already been set free.

Re:Defective Microsoft

[v1]

Fun fact: you are limited to 4 successful resets, per email address, per day.

Oooh, that is a fun fact! You must have been bored though?

Usually when things like this happen, people start looking for places to poke fun, like bill.gates@live.com etc. I wonder who balmer has in his skype contact list?

Re:Defective Microsoft

[gtall]

Satan@Hell.com

Re:Defective Microsoft

Didn't you see the commercials?
Using axe gets you the ladies!

Re:Defective Microsoft

[TranquilVoid]

I think "understand" makes sense in this context. You are arguing that spelling, or perhaps definition, is simply memorisation. In this reductive sense everything, like the rules of physics, is simply memorised rather than understood. Grammar, though, requires a deeper knowledge of language concepts (in this case subject and object pronouns) and context than spelling or noun definition.

You are probably correct about "whom" disappearing - it's almost unused in common language already. English seems to be very good at losing its distinctions over time (thou, thee etc.), perhaps because of it's readiness to adopt foreign words. From a nerd point of view it seems sad to lose precision.

Re:Defective Microsoft

[K.+S.+Kyosuke]

I think "understand" makes sense in this context.

I beg to differ, and here is why...

You are arguing that spelling, or perhaps definition, is simply memorisation.

In any language, some aspects are governed by universal rules and the rest is purely incidental. Not surprisingly, a large part of what we call grammar is incidental. There's no reason, for example, for English to have exactly three verb tenses (for a certain value of "verb tense") referring to past events, having the precise semantic nuances they have in modern English. (For a more academic value of "verb tense", English only has two verb tenses, the past one and the indefinite one, but I still often use the "high school L2 English" grammar notions I was taught at, well, high school. Force of habit, I guess. I didn't have access to The Grammar of the English Verb Phrase, Volume 1 at that time.)

Grammar, though, requires a deeper knowledge of language concepts (in this case subject and object pronouns) and context than spelling or noun definition.

I have mentioned UG, haven't I?

From a nerd point of view it seems sad to lose precision.

Not from a language nerd point of view. Unless you descend to the level of a pidgin, you don't lose anything. Languages tend to compensate. By way of example, can you figure out any case where "this person who I just met" and "this person whom I just met" could mean two different things, therefore necessitating the presence of "whom" in the language? Or is it the case that you can disambiguate between the subject and the object role of any noun phrase based on the syntax of the sentence, therefore obviating the need for "whom"?

If you're a nerd, take a look at Riau Indonesian to find out how simple grammatically a language can get without becoming unusable. Not even at that level of simplicity does it become a grammar-less pidgin.