| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 19 Nov 2012 02:26:25 -0500 From: Jeffrey Walton <noloader@...il.com> To: Kirils Solovjovs <kirils.solovjovs@...ils.com> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: Skype account + IM history hijack vulnerability On Wed, Nov 14, 2012 at 5:20 AM, Kirils Solovjovs <kirils.solovjovs@...ils.com> wrote: > > The team has worked around this and are now trying to fix the > bug/feature. :) > > http://www.reddit.com/r/netsec/comments/13664q/skype_vulnerability_allowing_hijacking_of_any/ > "Skype investigating account theft vulnerability - Update 2," http://www.h-online.com/security/news/item/Skype-investigating-account-theft-vulnerability-Update-2-1749720.html. Microsoft-owned VoIP service provider Skype has taken its password reset mechanism offline following a report from The Next Web about a security vulnerability that apparently allowed anyone to take over a Skype account of their choice. According to the report, an attacker with knowledge of the email address associated with a Skype account could take complete control of that account by changing the password. The vulnerability was first disclosed on a Russian security forum and The Next Web says it was able to reproduce the exploit. Skype has said that it is currently investigating the issue and has disabled the password reset functionality for its service as a precaution while the investigation is ongoing. The email address for the target account was reportedly first used to extract the associated Skype name from the service. The attacker would then create another Skype username for the target email address and use it to request and redeem a password reset token, locking the legitimate user out of their account. Both The Next Web and the original discoverer of the vulnerability say they have disclosed the problem to Skype and Microsoft. Since Skype has now disabled the password recovery functionality, the security hole cannot currently be exploited. It remains to be seen whether, once the company has concluded its investigation, the vulnerability is closed with an update to the Skype client itself or to the service's backend servers. Update 14-11-12 14:33: The H's associates at heise Security were able to confirm the security vulnerability before Skype disabled its password reset system. Using a newly created Skype name with the target's email address, they were able to request a password reset token which was sent by email and as a chat message to the new Skype account. Using this, they were able to reset the target account's password without having access to its original email address. Dmitry Chestnykh, who originally found the bug that later let to the discovery of the vulnerability, has now presented a chat log that supposedly proves that he contacted Skype support with details of the problem back in August. If this information proves to be correct, Skype's password reset mechanism was vulnerable for several months until the company disabled it as part of its investigation. Update 14-11-12 16:25: Skype has now updated its statement on the security issue to say that it has amended its password reset process so that it should now work properly. The company goes on to say that it believes only "a small number of users" may have been affected by the security problem and these users are being contacted and offered assistance. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists