Vulnerability in skype, allowing to hijack any account

Уязвимость в skype, позволяющая угнать любой аккаунт

About three months ago I wrote about this critical vulnerability in skype support, but it has not been fixed yet (Already fixed) .

At once I will say that I do not fully know the vulnerability, but recently massive hijackings of accounts began.

To implement an attack, you only need to know the e-mail of the victim.

Proof-of-Concept

  1. We register a new Skype account for the soap of the victim (there will be written a type for this soap already someone zaregen). Do not pay attention - fill in further.
  2. Log in to Skype client
  3. Delete all cookies, go to Login.skype.com/account/password-reset-request Drive in the soap of the victim.
  4. In Skype comes the notification:
    Уязвимость в skype, позволяющая угнать любой аккаунт

    Уязвимость в skype, позволяющая угнать любой аккаунт
  5. We pass on the link and see the soap of the victim and the lists of logins registered for this soap. We also see our login.
  6. Select the victim's login and change the password
  7. PROFIT
  8. At the mail, the victims of the letter appear in about the same order (partners and acquaintances sent screenshots of their mailboxes after hacking):

    Уязвимость в skype, позволяющая угнать любой аккаунт

    And other examples: Tyz | | | Tyz | | | Tyz | | | Tyz | | | Tyz


    If you came to such letters - an excuse to be on the alert!


    The only way to protect at the moment is to register a new email address unknown to anyone and change it through Website skype The main e-mail account for the new one.

    Attention! To change through the program skype the main e-mail it is impossible! Only through the site!


    Over the last week 10 people only from my contact list have been hacked using this vulnerability.

    I want to warn everyone as soon as possible to protect themselves, because so far, Microsoft does not take any action, take care of your own safety.


    UPD

    There was a way (PoC), how to use the vulnerability: http://forum.xeksec.com/f13/t68922/#post98725

    UPD2

    Official comment from a Skype representative:

    We have received reports of vulnerabilities in the Skype security system. For the security of our users, we temporarily disabled the password reset function, and we continue to explore this issue further. We apologize for the inconvenience, the safety of our users is our first priority.