Pages Menu
Categories Menu

Posted by on Nov 14, 2012 in Security, Software | 1 comment

Skype security commits grave error

Skype security commits grave error

A few hours ago was unveiled a tremendous security hole in the system password recovery of Skype , one something stupid, almost to “exterminate the programmer with fire,” some would say. Basically, if anyone knows the email of your account, opening a new account can be used to change the password.

For now, Microsoft has disabled your password recovery system. In an interview with The Next Web :

We have had reports of a new vulnerability. As a precautionary measure we have disabled the password reset temporarily while we continue to investigate the matter. We apologize for the inconvenience, but the user experience and security are our top priority.

Skype users are already safe, at least for now. Before the measure taken by Skype, users could only defend themselves by changing their email registration by one unknown. Some of the serious (and silly) of this problem is that you could play in six simple steps, just follow the normal flow of the form of new account creation:

  1. You open a new account
  2. You use the mail to an existing account
  3. You open the Skype application with those credentials
  4. You ask password recovery
  5. Skype sends the token password recovery and application to mail
  6. You open the link token, Skype detects more than one account associated with that email, you choose the victim: change the password

Bruce Schneier, renowned cryptographer, says that “security is not a product, it’s a process.” Very well, but for a user hacked that way, we, the phrase has been giving the same.

Tags: ,

1 Comment

  1. Thanks for the article. We all need to be more proactive about our personal account security. One thing you failed to mention is taking advantage of the 2FA (2-Factor Authentication). Although it’s been around for a while, more and more sites are starting to offer and promote this option. 2-Factor Authentication to complete a transaction while shopping online wins every day. I feel suspicious when I am not asked to telesign into my account by way of 2FA, it just feels as if they are not offering me enough protection. I know some will claim this make things more complicated, but the slight inconvenience each time you log in is worth the confidence of knowing your info is secure. This should be a prerequisite to any system that wants to promote itself as being secure.