While not exactly related to web security, it’s always good to take a minute to look at the web’s cousin, the desktop. On November 13th a Skype vulnerability was released that would allow an attacker to hijack an existing account. All the attacker would need is to know the primary email on any account.
The vulnerability is actually ingenious in retrospect, and it’s interesting it hadn’t been identified earlier. Do note however that it had been out for a few months. Protalinski with The Next Web explains how it works:
When you use an existing email address to sign up with Skype again, the service emails you a reminder of your username, which is okay, since no one else should have access to your email. Unfortunately, because this method enables you to get a password reset token sent to the Skype app itself, this allows a third party to redeem it and claim ownership of your original username and thus account.
Too many of us share our primary emails, like our passwords, across various third-party platforms. Remember, with ease of use and convenience comes vulnerabilities. The same principles apply on the desktop as do on the web.
This was Microsoft’s official response to inquiries by The Next Web:
Early this morning we were notified of user concerns surrounding the security of the password reset feature on our website. This issue affected some users where multiple Skype accounts were registered to the same email address. We suspended the password reset feature temporarily this morning as a precaution and have made updates to the password reset process today so that it is now working properly.
We are reaching out to a small number of users who may have been impacted to assist as necessary. Skype is committed to providing a safe and secure communications experience to our users and we apologize for the inconvenience.
What Can You Do
First you can breathe a sigh of relief. If you haven’t been hit yet, you’re likely won’t be with the latest patch. To be safe however, we recommend you create a new anonymous email that is not known by anyone. You can leverage a number of services from GMAIL, Windows Live and many others. Use that new anonymous email address to manage and handle third-party applications like Skype, Twitter, Facebook, and others.
If you have any questions pertaining to this post just let us know at email@example.com