“Skype vulnerability allowing hijacking of any account if you know just the email address” – password reset vulnerability reported in the wild

Skype vulnerability allowing hijacking of any account if you know just the email address..

Here’s the original link where I’ve read about this (in Russian) –

http://habrahabr.ru/post/158545/

with multiple people in the comments confirming it works and also reporting their accounts were stolen.

Here’s how it works:

Sign up for a new Skype account. Use the victim’s email. A warning will come up that an account with that email already exists, but you can still proceed with filling out the form and account creation.

Log in to the Skype client with your new account.

https://login.skype.com/account/password-reset-request – request a password reset using the victim’s email.

You will get a password reset notification and token in your skype client. Follow the link to pick the victim’s account and reset the password.

It appears the only way to safeguard yourself for now is to change your main Skype account email to one that’s not publicly known.

See also: http://pixus-ru.blogspot.co.uk/2012/11/hack-any-skype-account-in-6-easy-steps.html

Comments further down suggest that Skype have blocked password-resets for the moment, presumably to get a grip on this.

One Reply to ““Skype vulnerability allowing hijacking of any account if you know just the email address” – password reset vulnerability reported in the wild”

Leave a Reply

Your email address will not be published. Required fields are marked *