This page has been robot translated, sorry for typos if any. Original content here.

Vulnerability in skype, allowing to hijack any account

Уязвимость в skype, позволяющая угнать любой аккаунт

About three months ago I wrote about this critical vulnerability in skype support, but it has not been fixed yet (Already fixed) .

Immediately I will say that I do not fully know the vulnerability, but recently massive hijackings of accounts began.

To implement an attack, you only need to know the e-mail of the victim.

Proof-of-Concept

  1. We register a new Skype account for the soap of the victim (there will be written a type for this soap already someone zaregen). Do not pay attention - we fill in further.
  2. Log in to Skype client
  3. Delete all cookies, go to login.skype.com/account/password-reset-request drive in the soap of the victim.
  4. In Skype comes the notification:
    Уязвимость в skype, позволяющая угнать любой аккаунт

    Уязвимость в skype, позволяющая угнать любой аккаунт
  5. We follow the link and see the soap of the victim and the lists of logins registered for this soap. We also see our login.
  6. Select the victim's login and change the password
  7. PROFIT
  8. At the mail, the victims of the letter appear in about the same order (partners and acquaintances sent screenshots of their mailboxes after hacking):

    Уязвимость в skype, позволяющая угнать любой аккаунт

    And other examples: tyz | | tyz | | tyz | | tyz | | tyz


    If you came to such letters - an excuse to be on the alert!


    The only way to protect at the moment is to register a new email address unknown to anyone and change it through Skype site the main e-mail account for the new account.

    Attention! To change through the program skype main e-mail it is impossible! Only through the site!


    Over the last week 10 people only from my contact list were hacked using this vulnerability.

    I want to warn everyone as quickly as possible to protect themselves, because so far, Microsoft does not take any action, take care of your own safety.


    UPD

    There was a way (PoC), how to use the vulnerability: http://forum.xeksec.com/f13/t68922/#post98725

    UPD2

    Official comment from a Skype representative:

    We received reports of vulnerabilities in the Skype security system. For the security of our users, we temporarily disabled the password reset function, and we continue to explore this issue further. We apologize for the inconvenience, the safety of our users is our first priority.