Do we need stronger email addresses?

Skype vulnerability allowed for account hijacking using only email address.

A worryingly trivial vulnerability in VoIP service Skype became public this morning, which allowed anyone to take over a user's Skype account using nothing but the email address linked to the account.

The method - which was posted on Russian underground forums a few months ago and allegedly used to hijack the account of the Russian opposition leader - consisted of creating a new account using the email address that was used by the victim to create their account. While Skype gives a warning that the address is already in use, it does not prevent the new account being created; the email address is never verified. Once an account had been created, the attacker only had to log into Skype and request a password reset using a web browser, which resulted in the Skype interface displaying a one-time password that allowed the attacker to take over the victim's account.

Skype's owner Microsoft responded quickly when the vulnerability was made public, and closed the link between the password reset in the web browser and the Skype interface; indeed, we were not able to reproduce the method. However, account creation using a previously used email address is still possible.

While vulnerabilities like this - that don't require any technical knowledge to exploit - are rare, account hijacks based solely on the knowledge of an email address linked to the account are not unique: many high-profile cases of account compromises have shown that such knowledge helps a great deal in attacks using social engineering. Users would thus do well to consider using a unique, hard-to-guess email address for important accounts: password reset features have long been known to be a security weakness, so making it harder to have a password reset is a sensible thing to do.

In the meantime, we hope that Microsoft will make new Skype accounts verify the email address linked to the account, regardless of whether the address has been used before. Currently, Skype's ability to search users by their email address makes it easy to impersonate someone on the service - the fact that we were able to create a Skype account using Bill Gates's email address and then find him using a search on that address is a little worrying.

More at Kaspersky's Securelist blog here with the official statement from Microsoft here.

Tags: password, skype, vulnerability. Posted on 14 November 2012 by Martijn Grooten. Leave a comment.

del.icio.us

digg this

Blog Archive


	AV Test releases Android test data Latest VBSpam tests show web host spam harder to block AMTSO unveils product setup check tools June issue of VB published US lifts ban on anti-virus software for Iran Ruby on Rails vulnerability exploited in the wild Old posts 2013 2012 2011 2010 2009 2008 2007 2006 2005 2004 2003 2002 Subscribe \| View All virusbtn: This week on the VB blog: new VB issue; US lifts AV ban for Iran; Ruby vulnerability exploited; AV-Test results http://t.co/dvdL5xidKw 10 days ago virusbtn: Academic research paper looks at the challenges of taking down peer-to-peer botnets http://t.co/56z02XHc5D 10 days ago

News


	See also Calendar of Events Polls

Quick Links

Poll

Do current laws offer enough protection for ethical ('white-hat') hackers?
Leave a comment
View 4 comments

Virus Bulletin


	In this month's magazine: VB100 comparative review on Windows XP Professional SP3 VBSpam comparative review May 2013 Password sweepstakes Chat and paste MultiPlatform Madness! Java: setting security manager to null Bitcoin mining: Investing in the future of the underground market Subscribe now!

Virus Bulletin currently has 227,267 registered users.

Covering the global threat landscape

Do we need stronger email addresses?

Old posts