OMEN
11-19-2012, 10:55 AM
A critical vulnerability was found in voice and video service of Skype, which allows any account to be hacked. To do this you only need to know the email address of the victim.
Hacking scheme is as follow:
you need to register a new Skype name at the victim’s e-mail (this is technically possible).
Then you need to enter skype with the new account, delete all cookies and request password recovery.
After that, you will see a "password token" notification in the Skype window with a link.
When user follows this link, they can select which Skype name registered at that e-mail they want to change a password for. Among these names there will be both the one that has just been registered to someone else’s e-mail and the name of the owner of that email.
Thus, without access to someone else's mailbox and without knowing the old password, you can change someone else's password.
The hacking procedure was demonstrated in the video of @asintsov Twitter user (shortly after being posted the video was removed and is currently unavailable). Skype representatives had no immediate comment on the vulnerability, and the information is only available in Russian web.
The feature of the vulnerability is that an attacker can’t entirely deprive the account owner of access to it, because the owner will receive e-mail notification of the password change. The only solution the Russian users believe exists is to re-register Skype name to e-mail which no one knows and which isn’t in any database.
Anton Nosik, the famous Russian blogger, admitted that’s how his Skype account was hacked. Blogger Ilya Varlamov made the similar statement.
Extra T.
Hacking scheme is as follow:
you need to register a new Skype name at the victim’s e-mail (this is technically possible).
Then you need to enter skype with the new account, delete all cookies and request password recovery.
After that, you will see a "password token" notification in the Skype window with a link.
When user follows this link, they can select which Skype name registered at that e-mail they want to change a password for. Among these names there will be both the one that has just been registered to someone else’s e-mail and the name of the owner of that email.
Thus, without access to someone else's mailbox and without knowing the old password, you can change someone else's password.
The hacking procedure was demonstrated in the video of @asintsov Twitter user (shortly after being posted the video was removed and is currently unavailable). Skype representatives had no immediate comment on the vulnerability, and the information is only available in Russian web.
The feature of the vulnerability is that an attacker can’t entirely deprive the account owner of access to it, because the owner will receive e-mail notification of the password change. The only solution the Russian users believe exists is to re-register Skype name to e-mail which no one knows and which isn’t in any database.
Anton Nosik, the famous Russian blogger, admitted that’s how his Skype account was hacked. Blogger Ilya Varlamov made the similar statement.
Extra T.