Critical vulnerability found in Skype

Posted: November 14, 2012 in IT Security News, Vulnerability News
Tags: , ,

Skype

Critical vulnerability in Skype

Critical security vulnerability found in Skype (the service voice and video). The vulnerability allows to hack any account of Skype.

To crack only need to know the email address of the victim. Hacking scheme is as follows:

  • You need to register a new Skype Name to e-mail the victim (technically possible);
  • After that, you must log in to your new account, delete all cookie files and request password recovery;
  • After that, the window will be notified of Skype “password token”, which referred to;
  • This link, the user can select which kind login Skype, registered at the address of e-mail, he wants to change the password;
  • Among these logins will be like the one that the user has just registered on another e-mail, and username of the owner of this e-mail;
  • So, with no access to other people’s box and without the knowledge of the old password, you can change someone else’s password.

Breaking procedure demonstrated in the video user of Twitter @ asintsov. Skype representatives had no immediate comment on the vulnerability.

Feature of the vulnerability is that an attacker can not completely deny the account holder’s access to it, as the notification of the password change will come and the mailbox one whose account has been compromised. The only way out: re-registration Skype on e-mail, which no one knows who is not blown out in the databases.

Comments
  1. Ivan Koldaev says:

    > Feature of the vulnerability is that an attacker can not completely deny the account holder’s access to it…

    Actually, attacker can completely deny the account holder’s access to it. In order to do that, attacker just changes primary email to his own, and removes previous (victim’s) email.
    How to steal any skype account in 6 easy steps and how to protect your skype account. Illustrated guide – http://bit.ly/SLtlZi

  2. Sergey Gor says:

    The Skype’s administration has blocked password recovery form as a temporary solution to the vulnerability of the system to authenticate users.

  3. Sergey Gor says:

    Skype just hours has reported to eliminate a serious bug, the use of which are possible reset the user password and data theft legitimate user https://malwarelist.wordpress.com/2012/11/14/skype-has-closed-the-possibility-of-hijacking/

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s