Feeds

Skype fixes flaw that let anyone with your email address hijack you

Could have been nasty - and was, for some people

5 things you didn’t know about cloud backup

Skype said it has resolved a password reset bug that made it possible to hijack accounts held with the VoIP service simply by knowing an email address.

The vulnerability, which was simple to abuse, first surfaced on a Russian underground forum three months ago before going mainstream when it appeared on Reddit early on Wednesday morning.

Would-be Hackers only needed to create a new Skype ID, associated with the email address of an intended victim. They could then assume control of this account using an online password reset form without needing to take control of the email address, something that made exploiting the bug a simple "point, click and pwn" exercise, as explained in our earlier story here. Numerous users and a handful of security consultants quickly verified that the exploit worked as advertised. Exploiting the bug locked legitimate users out of their account whilst allowing hackers to get access to potentially sensitive chat histories.

Skype disabled the password reset facility on Wednesday morning, around two hours after it went mainstream, while it grappled with the problem. In an updated statement on Tuesday afternoon, the Microsoft-owned VoIP service said it has now resolved the problem, allowing it to reinstate its password reset facility. It admitted a "small number of users" had been hacked by the bug and promised to help them to regain access to their accounts.

Early this morning we were notified of user concerns surrounding the security of the password reset feature on our website. This issue affected some users where multiple Skype accounts were registered to the same email address. We suspended the password reset feature temporarily this morning as a precaution and have made updates to the password reset process today so that it is now working properly. We are reaching out to a small number of users who may have been impacted to assist as necessary. Skype is committed to providing a safe and secure communications experience to our users and we apologise for the inconvenience.

Before Skype temporarily disabled password reset the only way to avoid exploitation was to associate a secret email address with a Skype account.

Rik Ferguson of Trend Micro has a good write-up of in the flaw in action and there's more commentary on the potentially calamitous bug in a blog post by Sophos here. ®

5 things you didn’t know about cloud backup

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
5 things you didn’t know about cloud backup
IT departments are embracing cloud backup, but there’s a lot you need to know before choosing a service provider. Learn all the critical things you need to know.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?