Today there are reports of a breathtakingly bad vulnerability in Skype, that allows anyone to hijack another person’s account simply by knowing the email.
Password resets have now been disabled, fixing the problem temporarily, but it remains inexcusable.
It is basic security practice that ownership of an email address must be validated with a confirming email to that address and a special link. I see this on web forums that discuss trivia – why not on Skype where you can spend real money, and more seriously, see contacts and conversation history?
There must be a second weakness here, in that somehow the new account ends up getting confused (by Skype) with the existing one. It should not be possible to create an account with an email address that is in use on another account. Actually I count three weaknesses:
1. You can create an account with an email address that is not validated.
2. You can create an account with an email address that is already in use on another account.
3. You can reset the password on another account without having access to their email address, by resetting it on a second account with the same email address.
Microsoft acquired Skype in October 2011 but it is not clear when this vulnerability was introduced.
I tested this myself by setting up a new account with an email address that already has a Skype account. It worked though I did not take it to the next stage. Now I have a Skype account, incidentally, which cannot be deleted as Skype does not allow this. However I have now reset the email.
As it happens, I have suffered in the past from people opening accounts with my email address, I believe because of innocent error, such as forgetting to type the number in an account like someoneNN@yahoo.com or the like. One person set up an Apple iTunes account with my email address, complete with credit card details. I complained to Apple who disabled the account, but as with Skype, it cannot be deleted. So if I ever want to use that email address for an Apple account I will have problems.
That was a few years ago. It is astonishing that a company the size of Skype/Microsoft, handling and storing vast amounts of personal information, would have such weaknesses in its security.
Who will trust Skype now?
Update: It also appears that this flaw, or part of it, was reported to Skype back in August. This is a failure of management as well as security.
- Why programmers should study Microsoft’s random failure and not trust Google search
- Why you can’t trust a Google ad
- Steve Ballmer and Ray Ozzie at All things Digital – a poor performance
- Google App Engine line endings snaglet exposes Windows/Unix disconnect
- It’s not just free software that has poor usability