Slashdot Mirror

← Back to Stories (view on slashdot.org)

Skype Disables Password Resets After Huge Security Hole Discovered

Posted by Unknown on from the time-to-get-a-landline dept.

another random user writes with news of a vulnerability in the Skype password reset tool "All you need to do is register a new account using that email address, and even though that address is already used (and the registration process does tell you this) you can still complete the new account process and then sign in using that account Info (original post in Russian)" concealment adds a link to another article with an update that Skype disabled the password reset page as a temporary fix.

5 of 65 comments (clear)

  1. Re:Defective Microsoft by Anonymous Coward · · Score: 5, Funny

    Your to fussy. I could care less.

  2. Re:Defective Microsoft by junk · · Score: 5, Insightful

    I almost feel sorry for them discovering this just after they discontinued Microsoft Messenger and moved people on to Skype. To be fair I expect this hole existed when they brought Skype.

    I’m not so sure about that, y’know. It would likely have been discovered by now.

    I expect it’s a side effect of the migration of MSN users to Skype as it likely requires changes to both Skype and its backend.

    It's not new. I have an email address that people assume doesn't exist and rt they sign up for things all the time. About two years ago, I received a password reset mail from Skype. When I went to reset it (as I do with every random account people sign up for with my email), they gave me the option to reset about a half dozen accounts. I now maintain a list of burner Skype accounts that had previously used my address.

    Fun fact: you are limited to 4 successful resets, per email address, per day.

  3. Re:Defective Microsoft by Kiuas · · Score: 5, Interesting

    To be fair I expect this hole existed when they brought Skype

    That doesn't seem likely. In fact, I think this is a side effect of Microsoft preparing to integrate the 100 million msn messenger users into Skype. Somebody has been trying to ensure that the accounts will overlap nicely and has obviously made a huge mistake which allows this to happen.

    --
    "It is the business of the future to be dangerous" -Alfred North Whitehead
  4. Re:HurrDurr 101? by Ksevio · · Score: 5, Insightful

    That part actually makes sense. Skype allows you have have multiple accounts tied to the same email (some people might use that to separate contacts but maintain the same email). To make it easy to use, you don't have to verify the email belongs to you, but email is really only for password resets so it's not a big deal if you put a bogus email in.

    Now if you were just signed up with some random guy's email, it wouldn't be such a big deal, but the BIG security issue here is that for whatever reason Skype will send the password reset message to the random guy's email AND any Skype client associated with the email, and then almost worse, let you pick which account on the email to reset.

    If the password reset message was just sent to the email, it would be fine, but sending it to an account that doesn't have a verified email is an issue.

  5. Re:I don't entirely buy this... by Anonymous Coward · · Score: 5, Informative

    You miss the point completely.

    It's password reset token notification with link (like this) that appeared in Skype clients of anyone who has this email set as primary. When you click that link it led to password reset page with a dropdown box listing all accounts registered with this email and "reset password" button.

    The problem is that they don't require verification when setting a primary email.