This page has been robot translated, sorry for typos if any. Original content here.

Vulnerability in skype, allowing to hijack any account

Уязвимость в skype, позволяющая угнать любой аккаунт

About three months ago I wrote about this critical vulnerability in skype support, but it has not yet been fixed (Already fixed) .

I will say right away that I don’t know the whole vulnerability, but recently massive account hijackings have begun.

To implement the attack, you only need to know the e-mail of the victim.

Proof-of-concept

  1. We are registering a new Skype account on the victim's soap (there will be someone written on this soap already registered). Do not pay attention - fill out further.
  2. Login to Skype client
  3. Delete all cookies, go to login.skype.com/account/password-reset-request we drive in the soap of the victim.
  4. Skype comes to notice:
    Уязвимость в skype, позволяющая угнать любой аккаунт

    Уязвимость в skype, позволяющая угнать любой аккаунт
  5. We follow the link and see the soap of the victim and the lists of logins registered on this soap. Your login is also visible.
  6. We select the login of the victim and change the password
  7. PROFIT
  8. At the mail, the victims of the letter appear approximately in this sequence (partners and acquaintances sent screenshots of their mailboxes after hacking):

    Уязвимость в skype, позволяющая угнать любой аккаунт

    And other examples: tyts | tyts | tyts | tyts | tyts


    If such letters came to you - a reason to be wary!


    The only way to protect yourself at the moment is to register a new unknown e-mail address and change it via Skype site The main e-mail account for a new one.

    Attention! It is impossible to change the main e-mail through skype itself! Only through the site!


    Over the last week, 10 people from my contact list have only been hacked using this vulnerability.

    I want to warn everyone to protect themselves as quickly as possible, since so far Microsoft has not taken any action, take care of your own safety.


    UPD

    There was a way (PoC) how to use the vulnerability: http://forum.xeksec.com/f13/t68922/#post98725

    UPD2

    Official comment from a Skype representative:

    We received reports of a security vulnerability in Skype. For the security of our users, we have temporarily disabled the password reset function, and we continue to investigate this issue further. We apologize for the inconvenience, the safety of our users is our top priority.