Skype security commits grave error
A few hours ago was unveiled a tremendous security hole in the system password recovery of Skype , one something stupid, almost to “exterminate the programmer with fire,” some would say. Basically, if anyone knows the email of your account, opening a new account can be used to change the password.
We have had reports of a new vulnerability. As a precautionary measure we have disabled the password reset temporarily while we continue to investigate the matter. We apologize for the inconvenience, but the user experience and security are our top priority.
Skype users are already safe, at least for now. Before the measure taken by Skype, users could only defend themselves by changing their email registration by one unknown. Some of the serious (and silly) of this problem is that you could play in six simple steps, just follow the normal flow of the form of new account creation:
- You open a new account
- You use the mail to an existing account
- You open the Skype application with those credentials
- You ask password recovery
- Skype sends the token password recovery and application to mail
- You open the link token, Skype detects more than one account associated with that email, you choose the victim: change the password
Bruce Schneier, renowned cryptographer, says that “security is not a product, it’s a process.” Very well, but for a user hacked that way, we, the phrase has been giving the same.Tags: bug, Skype