VOIP ATTACK —

Microsoft suspends Skype password resets after account-hijacking report

Easy-to-execute attack used victim's e-mail address, report claims.

Microsoft has updated the password-resetting capabilities for its Skype service to fix a flaw that reportedly made the feature vulnerable to account-takeover attacks that were trivial to carry out.

The vulnerability "affected some users where multiple Skype accounts were registered to the same e-mail address," and company officials have contacted "a small number of users who may have been impacted to assist as necessary," a post published on Wednesday to the Skype status blog said. The officials didn't say how many people were affected.

The update followed a report published to a Russian-language user forum (Google translation here) that claimed Skype users were vulnerable to easily performed account-takeover attacks. All that was required, according to the post, was knowledge of the e-mail address of the victim. Attackers could then register for a new account using the same address. Once logged in to the new account in the Skype client, attackers activated the password-reset feature and waited for the client to display instructions for resetting the passcode.

Ars was unable to successfully reproduce the attack on Tuesday before the reset feature was suspended. Some users participating in a discussion on reddit also reported being unable to make the attack work as described.

The reset fix comes as Microsoft has been asking users of its Windows Live Messenger to link their application to Skype accounts. The move is part of Microsoft killing off the Messenger client and moving users to Skype.

The reported bug in the password reset is just one of several Skype security issues users have had to contend with over the past year. In October, researchers uncovered a social-engineering campaign that abused the Skype platform to trick users into installing Dorkbot, a worm that uses its host computer to engage in click fraud. In July, Microsoft officials confirmed the existence of a bug that caused the voice-over-IP app to send copies of some messages to unintended recipients.

Story updated to add details about fix.

Channel Ars Technica