Re: Skype account + IM history hijack vulnerability

[Jeffrey Walton <noloader () gmail com>]

On Wed, Nov 14, 2012 at 5:20 AM, Kirils Solovjovs
<kirils.solovjovs () kirils com> wrote:
> The team has worked around this and are now trying to fix the
> bug/feature. :)
>
> http://www.reddit.com/r/netsec/comments/13664q/skype_vulnerability_allowing_hijacking_of_any/
"Skype investigating account theft vulnerability - Update 2,"
http://www.h-online.com/security/news/item/Skype-investigating-account-theft-vulnerability-Update-2-1749720.html.

Microsoft-owned VoIP service provider Skype has taken its password
reset mechanism offline following a report from The Next Web about a
security vulnerability that apparently allowed anyone to take over a
Skype account of their choice. According to the report, an attacker
with knowledge of the email address associated with a Skype account
could take complete control of that account by changing the password.

The vulnerability was first disclosed on a Russian security forum and
The Next Web says it was able to reproduce the exploit. Skype has said
that it is currently investigating the issue and has disabled the
password reset functionality for its service as a precaution while the
investigation is ongoing.

The email address for the target account was reportedly first used to
extract the associated Skype name from the service. The attacker would
then create another Skype username for the target email address and
use it to request and redeem a password reset token, locking the
legitimate user out of their account. Both The Next Web and the
original discoverer of the vulnerability say they have disclosed the
problem to Skype and Microsoft.

Since Skype has now disabled the password recovery functionality, the
security hole cannot currently be exploited. It remains to be seen
whether, once the company has concluded its investigation, the
vulnerability is closed with an update to the Skype client itself or
to the service's backend servers.

Update 14-11-12 14:33: The H's associates at heise Security were able
to confirm the security vulnerability before Skype disabled its
password reset system. Using a newly created Skype name with the
target's email address, they were able to request a password reset
token which was sent by email and as a chat message to the new Skype
account. Using this, they were able to reset the target account's
password without having access to its original email address.

Dmitry Chestnykh, who originally found the bug that later let to the
discovery of the vulnerability, has now presented a chat log that
supposedly proves that he contacted Skype support with details of the
problem back in August. If this information proves to be correct,
Skype's password reset mechanism was vulnerable for several months
until the company disabled it as part of its investigation.

Update 14-11-12 16:25: Skype has now updated its statement on the
security issue to say that it has amended its password reset process
so that it should now work properly. The company goes on to say that
it believes only "a small number of users" may have been affected by
the security problem and these users are being contacted and offered
assistance.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/