Do we need stronger email addresses?
Skype vulnerability allowed for account hijacking using only email address.
A worryingly trivial vulnerability in VoIP service Skype became public this morning, which allowed anyone to
take over a user's Skype account using nothing but the email address linked to the account.
The method - which was posted on Russian underground forums a few months ago and allegedly used to hijack the account
of the Russian opposition leader - consisted of creating a new account using the email address that was used by the victim
to create their account. While Skype gives a warning that the address is already in use, it does not prevent the new
account being created; the email address is never verified. Once an account had been created, the attacker only had to log into
Skype and request a password reset using a web browser, which resulted in the Skype interface displaying a
one-time password that allowed the attacker to take over the victim's account.
Skype's owner Microsoft responded quickly when the vulnerability was made public, and closed the link
between the password reset in the web browser and the Skype interface; indeed, we were not able to reproduce the
method. However, account creation using a previously used email address is still possible.
While vulnerabilities like this - that don't require any technical knowledge to exploit - are rare, account hijacks based
solely on the knowledge of an email address linked to the account are not unique: many high-profile cases of account
compromises have shown that such knowledge helps a great deal in attacks using social engineering. Users would thus do
well to consider using a unique, hard-to-guess email address for important accounts: password reset features have long
been known to be a security weakness, so making it harder to have a password reset is a sensible thing to do.
In the meantime, we hope that Microsoft will make new Skype
accounts verify the email address linked to the account, regardless of whether
the address has been used before. Currently, Skype's ability to search
users by their email address makes it easy to impersonate someone on the
service - the fact that we were able to create a Skype account using Bill
Gates's email address and then find him using a search on that address is a
More at Kaspersky's Securelist blog here with the official statement from Microsoft here.
password, skype, vulnerability.
Posted on 14 November 2012 by Martijn Grooten.
Leave a comment.
del.icio.us digg this