Skype Disables Password Resets After Huge Security Hole Discovered

← Back to Stories (view on slashdot.org)

Skype Disables Password Resets After Huge Security Hole Discovered

Posted by Unknown on Wednesday November 14, 2012 @02:30AM from the time-to-get-a-landline dept.

another random user writes with news of a vulnerability in the Skype password reset tool "All you need to do is register a new account using that email address, and even though that address is already used (and the registration process does tell you this) you can still complete the new account process and then sign in using that account Info (original post in Russian)" concealment adds a link to another article with an update that Skype disabled the password reset page as a temporary fix.

65 comments

Min score:

Reason:

Sort:

Defective Microsoft by Anonymous Coward · 2012-11-14 02:33 · Score: -1, Troll

Which part of "Microsoft Product" did you not understand?
1. Re:Defective Microsoft by Chrisq · 2012-11-14 02:47 · Score: 1
  
  Which part of "Microsoft Product" did you not understand?
  I almost feel sorry for them discovering this just after they discontinued Microsoft Messenger and moved people on to Skype. To be fair I expect this hole existed when they brought Skype.
2. Re:Defective Microsoft by Anonymous Coward · 2012-11-14 02:51 · Score: 2, Funny
  
  I'd ask for a refund!
3. Re:Defective Microsoft by Anonymous Coward · 2012-11-14 02:55 · Score: 1, Informative
  
  Bought*
  I wish people would get this mix up of words right. It's like when someone says "me either" in response to something like "I dont like that":
  - I don't like bees
  - Nah, me either, i hate them.
  It's neither dammit!!
4. Re:Defective Microsoft by cp.tar · 2012-11-14 02:58 · Score: 2
  
  I almost feel sorry for them discovering this just after they discontinued Microsoft Messenger and moved people on to Skype. To be fair I expect this hole existed when they brought Skype.
  I’m not so sure about that, y’know. It would likely have been discovered by now.
  I expect it’s a side effect of the migration of MSN users to Skype as it likely requires changes to both Skype and its backend.
  
  --
  Ignore this signature. By order.
5. Re:Defective Microsoft by Anonymous Coward · 2012-11-14 03:01 · Score: 5, Funny
  
  Your to fussy. I could care less.
6. Re:Defective Microsoft by junk · 2012-11-14 03:04 · Score: 5, Insightful
  
  I almost feel sorry for them discovering this just after they discontinued Microsoft Messenger and moved people on to Skype. To be fair I expect this hole existed when they brought Skype.
  I’m not so sure about that, y’know. It would likely have been discovered by now.
  I expect it’s a side effect of the migration of MSN users to Skype as it likely requires changes to both Skype and its backend.
  It's not new. I have an email address that people assume doesn't exist and rt they sign up for things all the time. About two years ago, I received a password reset mail from Skype. When I went to reset it (as I do with every random account people sign up for with my email), they gave me the option to reset about a half dozen accounts. I now maintain a list of burner Skype accounts that had previously used my address.
  Fun fact: you are limited to 4 successful resets, per email address, per day.
7. Re:Defective Microsoft by yahwotqa · 2012-11-14 03:04 · Score: 2, Funny
  
  Guys, loose this off-topic subthread already.
8. Re:Defective Microsoft by Anonymous Coward · 2012-11-14 03:05 · Score: 0
  
  LOL!
  Unfortunately, it's an AMERICAN thing.
  Just like the idiots who keep saying 'more THAT' or 'MORE then', instead of 'more THAN'.
  How can anybody not know the difference between those three words? Obviously they don't read any printed media, just trash off the internet.
9. Re:Defective Microsoft by Kiuas · 2012-11-14 03:08 · Score: 5, Interesting
  
  To be fair I expect this hole existed when they brought Skype
  That doesn't seem likely. In fact, I think this is a side effect of Microsoft preparing to integrate the 100 million msn messenger users into Skype. Somebody has been trying to ensure that the accounts will overlap nicely and has obviously made a huge mistake which allows this to happen.
  
  --
  "It is the business of the future to be dangerous" -Alfred North Whitehead
10. Re:Defective Microsoft by Anonymous Coward · 2012-11-14 03:13 · Score: 0
  
  Cry more.
11. Re:Defective Microsoft by kelemvor4 · 2012-11-14 03:13 · Score: 2
  
  Bought*
  I wish people would get this mix up of words right. It's like when someone says "me either" in response to something like "I dont like that":
  - I don't like bees - Nah, me either, i hate them.
  It's neither dammit!!
  It's damn it...
12. Re:Defective Microsoft by Anonymous Coward · 2012-11-14 03:28 · Score: 0
  
  Guys, loose this off-topic subthread all ready.
  FTFY. Jeeze.
13. Re:Defective Microsoft by Anonymous Coward · 2012-11-14 03:39 · Score: 1
  
  LOL!
  Unfortunately, it's an AMERICAN thing.
  Just like the idiots who keep saying 'more THAT' or 'MORE then', instead of 'more THAN'.
  How can anybody not know the difference between those three words? Obviously they don't read any printed media, just trash off the internet.
  Or people who say "this person that I just met". It's "who", or if you really understand grammar then it's "whom". "That" doesn't work unless you just "met" an inanimate object.
14. Re:Defective Microsoft by Anonymous Coward · 2012-11-14 03:39 · Score: 0
  
  Guys, loose this off-topic subthread all ready.
  FTFY. Jeeze.
  FTF*Y*
  Guys, *lose* this off-topic subthread *already*.
  Christ!
15. Re:Defective Microsoft by helix2301 · 2012-11-14 04:19 · Score: 0
  
  Microsoft buying anything paints a target on it plus there is defiantly popularity and market value compared to other messengers so bound to have people hunting for security flaws. The just had another big security flaw discovered back in July http://yro.slashdot.org/story/12/07/16/175247/skype-bug-sends-messages-to-random-contacts bug agin you can't blame Microsoft they bought with this issue now they just need to fix it. This one is far worse then Skype Bug Sends Messages To Random Contacts.
  
  --
  http://www.thetechnologygeek.org
16. Re:Defective Microsoft by Anonymous Coward · 2012-11-14 05:09 · Score: 0
  
  *WHOOSH*
17. Re:Defective Microsoft by NotBorg · 2012-11-14 05:28 · Score: 1
  
  Oh come on now. I thought it worked just fine.
  MS Exec: Should we get Skype?
  Dylan Hunt: Lets bring it!
  MS Exec: Pwnt!
  
  --
  I want this account deleted.
18. Re:Defective Microsoft by Anonymous Coward · 2012-11-14 06:12 · Score: 1
  
  I'm particularly disturbed at how pervasive the use of "axe" in place of "ask" has become in this country. People who use "axe" for "ask" will be the first up against the wall when *my* revolution comes.
19. Re:Defective Microsoft by amicusNYCL · 2012-11-14 06:27 · Score: 1
  
  I have an email address that people assume doesn't exist
  With a username like "junk"? Inconceivable! There's someone out there who's actually checking junk@junk.com?
  
  --
  "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
20. Re:Defective Microsoft by Anonymous Coward · 2012-11-14 06:30 · Score: 0
  
  Not sure if we got one to bite, or if it's very,very clever...
21. Re:Defective Microsoft by K.+S.+Kyosuke · 2012-11-14 06:52 · Score: 1
  
  if you really understand grammar
  I don't think you can "understand" grammar (*) any more than you can "understand" vocabulary, as in why the sequence D-O-G represents a cute fluffy animal that barks and the sequence C-A-T represents a cute fluffy animal that meows. Grammar simply IS what it is, and sometimes it changes to something else, just like vocabulary. Wait a century and watch "whom" sink into oblivion.
  (*) Unless, of course, we're talking about Universal Grammar.
  
  --
  Ezekiel 23:20
22. Re:Defective Microsoft by Zemran · 2012-11-14 07:03 · Score: 2
  
  It is basically the difference between knowing their shit and knowing they're shit.
  
  --
  I love stacking my barbecues in the shed at the end of summer - you can't beat a bit of grill on grill action.
23. Re:Defective Microsoft by Zemran · 2012-11-14 07:06 · Score: 0
  
  If you are god@heaven.com, then it is my spam you get :-P
  
  --
  I love stacking my barbecues in the shed at the end of summer - you can't beat a bit of grill on grill action.
24. Re:Defective Microsoft by mcgrew · 2012-11-14 07:16 · Score: 1
  
  Too late, it's already been set free.
  
  --
  Free Martian Whores!
25. Re:Defective Microsoft by v1 · 2012-11-14 09:14 · Score: 1
  
  Fun fact: you are limited to 4 successful resets, per email address, per day.
  Oooh, that is a fun fact! You must have been bored though?
  Usually when things like this happen, people start looking for places to poke fun, like bill.gates@live.com etc. I wonder who balmer has in his skype contact list?
  
  --
  I work for the Department of Redundancy Department.
26. Re:Defective Microsoft by gtall · 2012-11-14 10:57 · Score: 1
  
  Satan@Hell.com
27. Re:Defective Microsoft by Anonymous Coward · 2012-11-14 12:08 · Score: 0
  
  Didn't you see the commercials?
  Using axe gets you the ladies!
28. Re:Defective Microsoft by TranquilVoid · 2012-11-14 14:40 · Score: 1
  
  I think "understand" makes sense in this context. You are arguing that spelling, or perhaps definition, is simply memorisation. In this reductive sense everything, like the rules of physics, is simply memorised rather than understood. Grammar, though, requires a deeper knowledge of language concepts (in this case subject and object pronouns) and context than spelling or noun definition.
  You are probably correct about "whom" disappearing - it's almost unused in common language already. English seems to be very good at losing its distinctions over time (thou, thee etc.), perhaps because of it's readiness to adopt foreign words. From a nerd point of view it seems sad to lose precision.
29. Re:Defective Microsoft by K.+S.+Kyosuke · 2012-11-15 00:38 · Score: 1
  
  I think "understand" makes sense in this context.
  I beg to differ, and here is why...
  
  You are arguing that spelling, or perhaps definition, is simply memorisation.
  In any language, some aspects are governed by universal rules and the rest is purely incidental. Not surprisingly, a large part of what we call grammar is incidental. There's no reason, for example, for English to have exactly three verb tenses (for a certain value of "verb tense") referring to past events, having the precise semantic nuances they have in modern English. (For a more academic value of "verb tense", English only has two verb tenses, the past one and the indefinite one, but I still often use the "high school L2 English" grammar notions I was taught at, well, high school. Force of habit, I guess. I didn't have access to The Grammar of the English Verb Phrase, Volume 1 at that time.)
  
  Grammar, though, requires a deeper knowledge of language concepts (in this case subject and object pronouns) and context than spelling or noun definition.
  I have mentioned UG, haven't I?
  
  From a nerd point of view it seems sad to lose precision.
  Not from a language nerd point of view. Unless you descend to the level of a pidgin, you don't lose anything. Languages tend to compensate. By way of example, can you figure out any case where "this person who I just met" and "this person whom I just met" could mean two different things, therefore necessitating the presence of "whom" in the language? Or is it the case that you can disambiguate between the subject and the object role of any noun phrase based on the syntax of the sentence, therefore obviating the need for "whom"?
  If you're a nerd, take a look at Riau Indonesian to find out how simple grammatically a language can get without becoming unusable. Not even at that level of simplicity does it become a grammar-less pidgin.
  
  --
  Ezekiel 23:20
Phew by GameboyRMH · 2012-11-14 02:35 · Score: 0

I could have been easily hit by that one...

--
"When information is power, privacy is freedom" - Jah-Wren Ryel
1. Re:Phew by mr1911 · 2012-11-14 03:40 · Score: 4, Funny
  
  I could have been easily hit by that one...
  Think you weren't? I've been dialing your contacts all morning while dressed appropriately for chatroulette. Your grandma did not look happy, but your wife stayed connected for 45 minutes...
  
  --
  This post comes with a double-your-money-back guarantee!
  Any offense taken to this post is at your sole discretion.
2. Re:Phew by GameboyRMH · 2012-11-14 04:01 · Score: 1
  
  Of course I already checked that I had access, you can't steal an account this way without changing the password which would lock me out. And you incorrectly assumed that I have a wife ;-)
  
  --
  "When information is power, privacy is freedom" - Jah-Wren Ryel
First post! by Anonymous Coward · 2012-11-14 02:37 · Score: -1

. :)
Yeah, like I expected anything else from a Micro$$$oft product.
Oh, no! by Anonymous Coward · 2012-11-14 02:38 · Score: 0

Now my identity will be stolen!
1. Re:Oh, no! by Anonymous Coward · 2012-11-14 02:43 · Score: 3, Funny
  
  It already has been. Anonymous Cowards are everywhere! We are Legion!
there are security exploits by circletimessquare · 2012-11-14 02:44 · Score: 0

then there are epic lulz

--
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
Skype... by Anonymous Coward · 2012-11-14 03:01 · Score: 1

...take a deep breath, then get ready to rant!
Security is for pussies...!
HurrDurr 101? by SuperCharlie · 2012-11-14 03:04 · Score: 4, Funny

If I understand this "security hole" correctly.. and they have already popped the data to let you know the email is taken.. isn't it pretty much close to nobrainer not to go ahead with that insert query? I may be a simple caveman.. but cmon.. even in my worst spaghetti code this is solidly on the durr side of Hurr-Durrrr
1. Re:HurrDurr 101? by Anonymous Coward · 2012-11-14 03:53 · Score: 0
  
  Why have a unique key on email field when not having it makes the checks so much "better"? :)
  The bottom line is that insert query should not be possible to work.
2. Re:HurrDurr 101? by Ksevio · 2012-11-14 04:09 · Score: 5, Insightful
  
  That part actually makes sense. Skype allows you have have multiple accounts tied to the same email (some people might use that to separate contacts but maintain the same email). To make it easy to use, you don't have to verify the email belongs to you, but email is really only for password resets so it's not a big deal if you put a bogus email in.
  
  Now if you were just signed up with some random guy's email, it wouldn't be such a big deal, but the BIG security issue here is that for whatever reason Skype will send the password reset message to the random guy's email AND any Skype client associated with the email, and then almost worse, let you pick which account on the email to reset.
  
  If the password reset message was just sent to the email, it would be fine, but sending it to an account that doesn't have a verified email is an issue.
3. Re:HurrDurr 101? by Anonymous Coward · 2012-11-14 04:24 · Score: 0
  
  This is just another thing on the list of reasons why people shouldn't use/trust Skype. I honestly can't imagine doing business with companies that don't even do the simplest form of user verification. How hard is it to send an email verification link when you sign up for an account?
  Hint: Not hard at all.
  I f'ing hate Skype.
4. Re:HurrDurr 101? by Anonymous Coward · 2012-11-14 04:28 · Score: 0
  
  Hey! Dontcha diss MS's business sense.
  As ads are Skype's major monetization part now, you really don't want to hinder blowing up the user base numbers^W^W^W^W^W^Wcreate unnecessary barriers for valuable new users.
5. Re:HurrDurr 101? by rhizome · 2012-11-14 05:20 · Score: 1
  
  I'm not sure I understand this.
  So, it appears that Friendster still exists, and that it's quite popular in Southeast Asia. I have a domain that is apparently a natural one to use by teenage girls in Indonesia when creating their Friendster accounts. I have received many, many notification emails associated with these accounts, after which I request a password reset, receive the email, then log in and lock the account down, typically with a "HURR DURR I DON'T KNOW WHAT EMAIL IS" type status message. Is this a security issue of Friendster's, or a natural consequence of using another person's email address?
  Of course, I've thought many times that Friendster is lame-o for not verifying email addresses, but I figure it's an indication that their business is so unsuccessful that they need all the users they can get, even if they have to use a "Reddit Alias" style account creation strategy.
  
  --
  When I was a kid, we only had one Darth.
6. Re:HurrDurr 101? by amicusNYCL · 2012-11-14 06:31 · Score: 1
  
  That part actually makes sense. Skype allows you have have multiple accounts tied to the same email (some people might use that to separate contacts but maintain the same email). To make it easy to use, you don't have to verify the email belongs to you, but email is really only for password resets so it's not a big deal if you put a bogus email in.
  How about this for a simple fix to still allow this multi-account feature: people can create as many accounts as they want to with the same email address, but in order to do that they need to be logged in to one of their existing accounts. You don't get to just sign up with a new account anonymously and use whatever email address is already linked to an account.
  
  --
  "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
7. Re:HurrDurr 101? by Qzukk · 2012-11-14 07:52 · Score: 1
  
  Why have a unique key on email field when not having it makes the checks so much "better"? :)
  A unique key for emails like 'AnonymousCoward@example.org', 'ANONYMOUSCOWARD@EXAMPLE.ORG', 'aNoNyMoUsCoWaRd@eXaMpLe.OrG'?
  Mayhaps you mean a unique key on upper(email field).
  
  --
  If I have been able to see further than others, it is because I bought a pair of binoculars.
I don't entirely buy this... by dalias · 2012-11-14 03:05 · Score: 4, Interesting

I have multiple skype accounts created on the same email address (for different people, however) and it does not allow one to login as the other. It's possible to password-reset any of them independently.
1. Re:I don't entirely buy this... by Anonymous Coward · 2012-11-14 03:18 · Score: 1
  
  If dalias is correct in saying that the accounts using the same email address are independent, and that it follows that an account cannot be hijacked, then all that's really happening is a new account is created with an incorrect email address. The failure in this case would be in accepting this submission to slashdot.
2. Re:I don't entirely buy this... by SpzToid · 2012-11-14 03:37 · Score: 1
  
  Statistically speaking, you seem correct. Consider the brute-force possibilities of all those many millions of Skype users, some with dubious motivations, and how many of them must have tried this at least once and paid attention?
  Or, maybe they did, and just kept quiet about it?
  And profited?
  Think about the billions.
  Skype was never exactly motivated to further innovate, or engineer to a higher level; possibly with security enhancements. Skype has always been about the numbers. The numbers also indicate someone would have brute-forced them by now though, if this minor-hack is true.
  
  --
  You can't be ahead of the curve, if you're stuck in a loop.
3. Re:I don't entirely buy this... by Anonymous Coward · 2012-11-14 04:12 · Score: 5, Informative
  
  You miss the point completely.
  It's password reset token notification with link (like this) that appeared in Skype clients of anyone who has this email set as primary. When you click that link it led to password reset page with a dropdown box listing all accounts registered with this email and "reset password" button.
  The problem is that they don't require verification when setting a primary email.
4. Re:I don't entirely buy this... by Anonymous Coward · 2012-11-14 06:42 · Score: 0
  
  The failure in your case is your post.
  
  Here's how it works:
  1. Sign up for a new Skype account. Use the victim's email. A warning will come up that an account with that email already exists, but you can still proceed with filling out the form and account creation.
  2. Log in to the Skype client with your new account.
  3. https://login.skype.com/account/password-reset-request - request a password reset using the victim's email.
  4. You will get a password reset notification and token in your skype client. Follow the link to pick the victim's account and reset the password.
  It appears the only way to safeguard yourself for now is to change your main Skype account email to one that's not publicly known.
Don't they test anything? by mschaffer · 2012-11-14 03:12 · Score: 1

What kind of QA system do they have in place at Skype---or maybe they should start one?
1. Re:Don't they test anything? by pixelpusher220 · 2012-11-14 03:31 · Score: 4, Funny
  
  Well they have a QA system, but they forgot the password, and right now the password reset functionality is disabled.
  
  I'm sure they'll get back to it soon though!
  
  --
  People in cars cause accidents....accidents in cars cause people :-D
Xbox Live by asavage · 2012-11-14 03:19 · Score: 1, Interesting

Microsoft also has issues with Xbox Live although not close to as bad. Some guy when he bought Xbox Live Gold accidentally entered my email address which has linked his 5 year account to my email. Last weekend I bought a game on steam which requires Games for Windows Marketplace. Since I had to have an account to play the game I entered my email and it said I already had an account so I did a password reset. This other guy has now lost his Xbox Live Gold account with 7 months left already paid for and support doesn't seem to know how to fix it. Also I now have a stupid gamertag which apparently I can't change without an Xbox.

This doesn't compare to the skype hole but there should be no way to link an account to an unverified email address.
1. Re:Xbox Live by s0nicfreak · 2012-11-14 04:48 · Score: 1
  
  Uh, you do know you could just change the email associated with the account ( https://commerce.microsoft.com/PaymentHub/Profile ) for the guy, then give him that account and set up a new one with your email address, right?
2. Re:Xbox Live by wiredlogic · 2012-11-14 06:08 · Score: 1
  
  Someone signed up for a facebook account with my e-mail address. I let it go for a year or so but then the FB spam became too annoying so I reset the password and deactivated his account for him.
  
  --
  I am becoming gerund, destroyer of verbs.
3. Re:Xbox Live by theArtificial · 2012-11-14 06:18 · Score: 1
  
  +1 for nice guys.
  
  --
  Man blir trött av att gå och göra ingenting.
4. Re:Xbox Live by Anonymous Coward · 2012-11-14 07:21 · Score: 0
  
  How is he going to give the new account to the guy? Maybe sending a message to his friends in hopes that one knows him beyond XBL.
5. Re:Xbox Live by asavage · 2012-11-14 14:03 · Score: 1
  
  I can't do that as I lose access the game I just bought.
6. Re:Xbox Live by s0nicfreak · 2012-11-16 09:42 · Score: 1
  
  At the very least offer it back in exchange for another copy of the game.
7. Re:Xbox Live by s0nicfreak · 2012-11-16 09:42 · Score: 1
  
  Well i would imagine the guy is freaking out and messaging him asking for his account back. But if not he could google the Gamertag, the guy probably posted it on a forum or something which will allow for finding some form of contact.
SKYPEFALL by Anonymous Coward · 2012-11-14 04:02 · Score: 0

That is all.
A *little* more information would have been nice.. by wonkey_monkey · 2012-11-14 04:02 · Score: 1

As minimal summaries go this one will take some beating.

"All you need to do is register a new account using that email address
Wait, which email address? (the person whose account who want to gain access to, says the article)

and even though that address is already used (and the registration process does tell you this) you can still complete the new account process and then sign in using that account Info (original post in Russian)"
Right, and then what? You seem to have missed the entire rest of the process where you actually carry out the password reset trick. Make me read the bloody article indeed...

The reason this works is simple, but it’s still worrying. When you use an existing email address to sign up with Skype again, the service emails you a reminder of your username, which is okay, since no one else should have access to your email. Unfortunately, because this method enables you to get a password reset token sent to the Skype app itself, this allows a third party to redeem it and claim ownership of your original username and thus account.
Or something like that.

--
systemd is Roko's Basilisk.
Re:A *little* more information would have been nic by hobarrera · 2012-11-14 04:31 · Score: 3, Informative

RTFA! It's all clearly explained there!
Billing issues by xanadu113 · 2012-11-14 07:04 · Score: 1

Skype has also been plagued with billing issues. I had a subscription years ago, that bank card is now expired. I cancelled the subscription, years ago.. as soon as Microsoft bought Skype, I started getting emails saying my card was declined, with no recourse, no way to cancel the subscription they tried to start up on me again...

--
-Myke