dslreports logo
site
spacer

spacer
 
   
spc
story category
Major Skype Vulnerability Found
Microsoft Freezes E-mail Resets to Thwart Exploit
by Karl Bode 09:08AM Wednesday Nov 14 2012
A new security vulnerability has been found in Skype that allows anyone to change your password and take control of your Skype account. First posted to a Russian Internet forum several months ago, The Next Web says they've tested the five step hack and have confirmed that it works. All attackers apparently need is the e-mail address tied to your Skype account, create a new Skype account with that e-mail address, then have the system generate a password reset token -- which is sent to the Skype app itself. Microsoft has frozen account resets while they work to resolve the issue.

Skype issued the following statement about the matter:
quote:
"We have had reports of a new security vulnerability issue. As a precautionary step we have temporarily disabled password reset as we continue to investigate the issue further. We apologize for the inconvenience but user experience and safety is our first priority"

view:
topics flat nest 
pandora
Premium
join:2001-06-01
Outland
kudos:2

1 edit

Sigh

One day companies have got to get hold of security. Stuff like this happens too often.

antdude
A Ninja Ant
Premium,VIP
join:2001-03-25
United State
kudos:4
Reviews:
·Time Warner Cable

Re: Sigh

said by pandora:

One day companies generally have got to get hold of security generally.

It won't happen.

Mospaw
My socks don't match.
Hawaiian Jellyfish
join:2001-01-08
Mile High
kudos:1

2 recommendations

said by pandora:

One day companies generally have got to get hold of security generally.

As long as they have humans programming the computers, or even robot programmers who were programmed by humans (and so on and so on), this won't happen.

Security has to be perfect to be absolute. The attackers only need to find one vector.

Disclaimer: I am a human who programs computers.
Kearnstd
Space Elf
Premium
join:2002-01-22
Mullica Hill, NJ
kudos:1

Re: Sigh

And perfect security can never be done even if you had perfect programmers assisted by perfect robot programmers.

As lets face it, the #1 hole is still the the meat bag in the chair. Get a user to click yes on something and the hacker just infected their PC and sniffed their passwords.
--
[65 Arcanist]Filan(High Elf) Zone: Broadband Reports
zerog

join:2002-02-10
Carrollton, TX
kudos:1

2 edits
quote:
Security has to be perfect to be absolute. The attackers only need to find one vector.

disagree. Security has to be "good enough" or sufficiently secure proportional to what is being protected.

That is obviously not happening here, and in most of the cases where we see "security fails"

There is no "absolute security" - anyone who starts talking that way is trying to sell you anti-virus software, or some "enterprise class security system that will keep the hackers out!".

The only absolute perfect security that can be obtained is for something which absolutely does not perfectly exist.

dvd536
as Mr. Pink as they come
Premium
join:2001-04-27
Phoenix, AZ
kudos:4

1 recommendation

said by Mospaw:

said by pandora:

One day companies generally have got to get hold of security generally.

As long as they have humans programming the computers, or even robot programmers who were programmed by humans (and so on and so on), this won't happen.

Security has to be perfect to be absolute. The attackers only need to find one vector.

Disclaimer: I am a human who programs computers.

surprising they don't write compilers that check for buffer overflow conditions before they'll compile an exe or dll
--
Despises any post with strings.
brianiscool

join:2000-08-16
Tampa, FL
kudos:1

russian site

Anyone know the URL to that website?
hardly
Premium
join:2004-02-10
USA

fixed

They say it is fixed.

»thenextweb.com/microsoft/2012/11···ffected/

plencnerb
Premium
join:2000-09-25
Carpentersville, IL
kudos:3

Re: fixed

Click for full size
Version 6.0.0.120
Click for full size
Version 6.0.0.126
New Version of Skype out as well. See above screen shots
pandora
Premium
join:2001-06-01
Outland
kudos:2
Reviews:
·ooma
·Google Voice
·Comcast
·Future Nine Corp..

Re: fixed

I looked at the images you posted. Maybe it's fixed, we can all hope. But look at the change in size. From a bit over 1 mb to almost 30 mb.

Skype grew almost 3,000% for a fix?
--
"If you put the federal government in charge of the Sahara Desert, in 5 years there'd be a shortage of sand." - Milton Friedman"

plencnerb
Premium
join:2000-09-25
Carpentersville, IL
kudos:3

Re: fixed

Click for full size
You bring up an interesting point.

I am one who will save older versions of applications, just in case I need to go back a version or two. It also helps when I rebuild my machine (or a friend/family's machine) so I don't have to go re-download all the applications.

So, I went and looked to see what I had for Skype. I have 6 versions, and they are all pictured above. It is interesting that the last one I downloaded grew from just around 1 MB to just under 30 MB.

By the way, the filenames that I have listed are modified when I downloaded them. I believe they were all called "SkypeSetup.exe" when I originally downloaded them. I then renamed them to be SkypeSetup_versionumber.exe so I could tell them apart.

However, the current exe name is called "SkypeSetupFull.exe" when you go to download it.

It appears that Skype may have changed their install method. Before it could have been a shell that you would launch, and it would pull the rest of the install down from the web at that time. It looks now that when you download skype, you get the full install package.

--Brian
--
============================
--Brian Plencner

E-Mail: CoasterBrian72Cancer@gmail.com
Note: Kill Cancer to Reply via e-mail
bugabuga

join:2004-06-10
Austin, TX

Months to have someone scratch their behind to fix it

What the most frustrating part is, it's been reported to them months ago. Response? None. Support staff reading off of scripts. Email reports being ignored.

And as soon as a couple of big news/blog sites reported it -- immediate swift reaction and a fix in a few hours. So, it didn't even take long to fix this. Horrible
--
Hyperom: Rants about life, politics, technology

Transmaster
Don't Blame Me I Voted For Bill and Opus

join:2001-06-20
Cheyenne, WY
Reviews:
·CenturyLink

1 recommendation

Re: Months to have someone scratch their behind to fix it

Good title you need to add "and picking boogers". The super dooper app version of Skype M$ has for Windows 8 sucks so bad I deleted it and installed a version from earlier in the year problem solved. What is one suppose to expect from a company that repackages a netbook and calls it the "Microsoft Surface" M$ both Apple and the Android world are laughing at you.

This site is a God Send: »www.oldapps.com/
--
I am quite sure now that often, very often, in matters concerning religion and politics a man's reasoning powers are not above the monkey's.
- Mark Twain in Eruption
BlitzenZeus
Burnt Out Cynic
Premium
join:2000-01-13
kudos:3
As Microsoft would say "Working as intended", and swept it under the rug until it was exploited. This pretty much is par for Microsoft.

KrK
Heavy Artillery For The Little Guy
Premium
join:2000-01-17
Tulsa, OK

Sherlock Holmes.....

"What one man can do, another man can undo."