This morning I awoke to find the news feeds churning on a Skype password reset story. On first glance this seems like a troublesome one. If headlines were to be believed all you would need is the intended targets email address associated with their Skype account and they could reset your password.
Um, yeah, see that’s bad. M’kay.
What would be REALLY bad is that if some political figure had their account compromised…oh, look at the birdie.
From Twitter:
о, проверил Ñкайп. У Ð¼ÐµÐ½Ñ Ñ‚Ð¾Ð¶Ðµ его увели вот таким образом lenta.ru/news/2012/11/1… так, что еÑли вам кто-то пишет в Ñкайп от менÑ, то Ñто не Ñ
— Alexey Navalny (@navalny) November 14, 2012
So, the hack couldn’t be as simple as all that, could it?
From Pixus.ru:
Major vulnerability of Skype’s password reset sytem has went public today.
The only thing you need to obtain full access to any skype account is primary email of that account (the email which used when the skype account been registered).
Following guide contains both – how to steal an account, and how to protect your account (scroll down for that).
Hmm. If only this was reported sooner to the folks at Microsoft so they could…what’s that? They knew since August? Oops. Never mind.
The upside is that after this was published to a Russian forum it was promptly fixed. The questions being, why did this particular one take so long to rememdiate and two, how many people were affected?
From Skype:
We have had reports of a new security vulnerability issue. As a precautionary step we have temporarily disabled password reset as we continue to investigate the issue further. We apologize for the inconvenience but user experience and safety is our first priority
So, no Zombie apocalypse then? Bummer. Got all dressed up for nothing.
Source: Article Link
(Image used under CC from Scabeater)
