Slashdot Mirror

← Back to Stories (view on slashdot.org)

Skype Disables Password Resets After Huge Security Hole Discovered

Posted by Unknown on from the time-to-get-a-landline dept.

another random user writes with news of a vulnerability in the Skype password reset tool "All you need to do is register a new account using that email address, and even though that address is already used (and the registration process does tell you this) you can still complete the new account process and then sign in using that account Info (original post in Russian)" concealment adds a link to another article with an update that Skype disabled the password reset page as a temporary fix.

16 of 65 comments (clear)

  1. Re:Oh, no! by Anonymous Coward · · Score: 3, Funny

    It already has been. Anonymous Cowards are everywhere! We are Legion!

  2. Re:Defective Microsoft by Anonymous Coward · · Score: 2, Funny

    I'd ask for a refund!

  3. Re:Defective Microsoft by cp.tar · · Score: 2

    I almost feel sorry for them discovering this just after they discontinued Microsoft Messenger and moved people on to Skype. To be fair I expect this hole existed when they brought Skype.

    I’m not so sure about that, y’know. It would likely have been discovered by now.
    I expect it’s a side effect of the migration of MSN users to Skype as it likely requires changes to both Skype and its backend.

    --
    Ignore this signature. By order.
  4. Re:Defective Microsoft by Anonymous Coward · · Score: 5, Funny

    Your to fussy. I could care less.

  5. Re:Defective Microsoft by junk · · Score: 5, Insightful

    I almost feel sorry for them discovering this just after they discontinued Microsoft Messenger and moved people on to Skype. To be fair I expect this hole existed when they brought Skype.

    I’m not so sure about that, y’know. It would likely have been discovered by now.

    I expect it’s a side effect of the migration of MSN users to Skype as it likely requires changes to both Skype and its backend.

    It's not new. I have an email address that people assume doesn't exist and rt they sign up for things all the time. About two years ago, I received a password reset mail from Skype. When I went to reset it (as I do with every random account people sign up for with my email), they gave me the option to reset about a half dozen accounts. I now maintain a list of burner Skype accounts that had previously used my address.

    Fun fact: you are limited to 4 successful resets, per email address, per day.

  6. Re:Defective Microsoft by yahwotqa · · Score: 2, Funny

    Guys, loose this off-topic subthread already.

  7. HurrDurr 101? by SuperCharlie · · Score: 4, Funny

    If I understand this "security hole" correctly.. and they have already popped the data to let you know the email is taken.. isn't it pretty much close to nobrainer not to go ahead with that insert query? I may be a simple caveman.. but cmon.. even in my worst spaghetti code this is solidly on the durr side of Hurr-Durrrr

    1. Re:HurrDurr 101? by Ksevio · · Score: 5, Insightful

      That part actually makes sense. Skype allows you have have multiple accounts tied to the same email (some people might use that to separate contacts but maintain the same email). To make it easy to use, you don't have to verify the email belongs to you, but email is really only for password resets so it's not a big deal if you put a bogus email in.

      Now if you were just signed up with some random guy's email, it wouldn't be such a big deal, but the BIG security issue here is that for whatever reason Skype will send the password reset message to the random guy's email AND any Skype client associated with the email, and then almost worse, let you pick which account on the email to reset.

      If the password reset message was just sent to the email, it would be fine, but sending it to an account that doesn't have a verified email is an issue.

  8. I don't entirely buy this... by dalias · · Score: 4, Interesting

    I have multiple skype accounts created on the same email address (for different people, however) and it does not allow one to login as the other. It's possible to password-reset any of them independently.

    1. Re:I don't entirely buy this... by Anonymous Coward · · Score: 5, Informative

      You miss the point completely.

      It's password reset token notification with link (like this) that appeared in Skype clients of anyone who has this email set as primary. When you click that link it led to password reset page with a dropdown box listing all accounts registered with this email and "reset password" button.

      The problem is that they don't require verification when setting a primary email.

  9. Re:Defective Microsoft by Kiuas · · Score: 5, Interesting

    To be fair I expect this hole existed when they brought Skype

    That doesn't seem likely. In fact, I think this is a side effect of Microsoft preparing to integrate the 100 million msn messenger users into Skype. Somebody has been trying to ensure that the accounts will overlap nicely and has obviously made a huge mistake which allows this to happen.

    --
    "It is the business of the future to be dangerous" -Alfred North Whitehead
  10. Re:Defective Microsoft by kelemvor4 · · Score: 2

    Bought*

    I wish people would get this mix up of words right. It's like when someone says "me either" in response to something like "I dont like that":

    - I don't like bees - Nah, me either, i hate them.

    It's neither dammit!!

    It's damn it...

  11. Re:Don't they test anything? by pixelpusher220 · · Score: 4, Funny

    Well they have a QA system, but they forgot the password, and right now the password reset functionality is disabled.

    I'm sure they'll get back to it soon though!

    --
    People in cars cause accidents....accidents in cars cause people :-D
  12. Re:Phew by mr1911 · · Score: 4, Funny

    I could have been easily hit by that one...

    Think you weren't? I've been dialing your contacts all morning while dressed appropriately for chatroulette. Your grandma did not look happy, but your wife stayed connected for 45 minutes...

    --
    This post comes with a double-your-money-back guarantee!
    Any offense taken to this post is at your sole discretion.
  13. Re:A *little* more information would have been nic by hobarrera · · Score: 3, Informative

    RTFA! It's all clearly explained there!

  14. Re:Defective Microsoft by Zemran · · Score: 2

    It is basically the difference between knowing their shit and knowing they're shit.

    --
    I love stacking my barbecues in the shed at the end of summer - you can't beat a bit of grill on grill action.