“We have had reports of a new security vulnerability issue. Update: Skype shared the following statement with The Next Web: We have contacted both Skype and Microsoft about this issue in the hopes that it can be corrected sooner rather than later. To do this, click on the “Sign In” in the top-right corner, click on the “Profile” link in the middle of the page under “Account Details,” and scroll down to “Contact details.” From there, click on “Add email address,” add one, scroll to the bottom, and hit “Save.” One last time, scroll to the bottom again, click on “Edit,” then finally scroll up and choose “Set as primary email” beside your covert email address. In the meantime, the best way to avoid being targeted by this is to use a different email address for your Skype account: change it over on now to one only you know about. The exposer of the vulnerability says that it has been reported but the hole is clearly still open. This should not be allowed, as it lets anyone create another username for your Skype account by just knowing your email address. Unfortunately, because this method enables you to get a password reset token sent to the Skype app itself, this allows a third party to redeem it and claim ownership of your original username and thus account. When you use an existing email address to sign up with Skype again, the service emails you a reminder of your username, which is okay, since no one else should have access to your email. The reason this works is simple, but it’s still worrying. He couldn’t log back in until I gave him the new password. Since I did this before Josh could, and he would have to be watching his email account “like a hawk” (his words, not mine) to beat me, I essentially gained exclusive access to his account. I changed Josh’s, locking him out of the account and letting me in. Having done all that, I could see my username for Josh’s account, and Josh’s username (for the first time – note, I had no idea what it was until this point) for his account, as well as change the password for whichever I pleased. Then, minus a couple of key steps, you can use a password reset token to gain access to your target’s account. Essentially, that email address is used to create a new account with your own email address tied to it. We reproduced the attack, step-by-step, and managed to access the Skype accounts of TNW writer (with permission) Josh Ong (as well as editor Matt Brian to verify again) with only their email addresses. To protect yourself, you would have to change your email address to one that nobody knows or could easily guess, but most likely Microsoft will get around to fixing the problem before that becomes necessary. To exploit this flaw, all you need to know is your victim’s email address tied to their Skype account.
0 kommentar(er)
