Do we need stronger email addresses?
Skype vulnerability allowed for account hijacking using only email address.
A worryingly trivial vulnerability in VoIP service Skype became public this morning, which allowed anyone to take over a user's Skype account using nothing but the email address linked to the account.
The method - which was posted on Russian underground forums a few months ago and allegedly used to hijack the account of the Russian opposition leader - consisted of creating a new account using the email address that was used by the victim to create their account. While Skype gives a warning that the address is already in use, it does not prevent the new account being created; the email address is never verified. Once an account had been created, the attacker only had to log into Skype and request a password reset using a web browser, which resulted in the Skype interface displaying a one-time password that allowed the attacker to take over the victim's account.
Skype's owner Microsoft responded quickly when the vulnerability was made public, and closed the link between the password reset in the web browser and the Skype interface; indeed, we were not able to reproduce the method. However, account creation using a previously used email address is still possible.
While vulnerabilities like this - that don't require any technical knowledge to exploit - are rare, account hijacks based solely on the knowledge of an email address linked to the account are not unique: many high-profile cases of account compromises have shown that such knowledge helps a great deal in attacks using social engineering. Users would thus do well to consider using a unique, hard-to-guess email address for important accounts: password reset features have long been known to be a security weakness, so making it harder to have a password reset is a sensible thing to do.
In the meantime, we hope that Microsoft will make new Skype accounts verify the email address linked to the account, regardless of whether the address has been used before. Currently, Skype's ability to search users by their email address makes it easy to impersonate someone on the service - the fact that we were able to create a Skype account using Bill Gates's email address and then find him using a search on that address is a little worrying.Tweet del.icio.us digg this
Login to leave a comment