Tag Archives: skype

Skype vulnerability exposes poor security in web application. Who will trust Skype now?

Today there are reports of a breathtakingly bad vulnerability in Skype, that allows anyone to hijack another person’s account simply by knowing the email.


Password resets have now been disabled, fixing the problem temporarily, but it remains inexcusable.


It is basic security practice that ownership of an email address must be validated with a confirming email to that address and a special link. I see this on web forums that discuss trivia – why not on Skype where you can spend real money, and more seriously, see contacts and conversation history?

There must be a second weakness here, in that somehow the new account ends up getting confused (by Skype) with the existing one. It should not be possible to create an account with an email address that is in use on another account. Actually I count three weaknesses:

1. You can create an account with an email address that is not validated.

2. You can create an account with an email address that is already in use on another account.

3. You can reset the password on another account without having access to their email address, by resetting it on a second account with the same email address.

Microsoft acquired Skype in October 2011 but it is not clear when this vulnerability was introduced.

I tested this myself by setting up a new account with an email address that already has a Skype account. It worked though I did not take it to the next stage. Now I have a Skype account, incidentally, which cannot be deleted as Skype does not allow this. However I have now reset the email.

As it happens, I have suffered in the past from people opening accounts with my email address, I believe because of innocent error, such as forgetting to type the number in an account like someoneNN@yahoo.com or the like. One person set up an Apple iTunes account with my email address, complete with credit card details. I complained to Apple who disabled the account, but as with Skype, it cannot be deleted. So if I ever want to use that email address for an Apple account I will have problems.

That was a few years ago. It is astonishing that a company the size of Skype/Microsoft, handling and storing vast amounts of personal information, would have such weaknesses in its security.

Who will trust Skype now?

Update: It also appears that this flaw, or part of it, was reported to Skype back in August. This is a failure of management as well as security.

aQuantive may be Microsoft’s biggest acquisition failure. Have there been good ones? A look back.

Today’s news that Microsoft  is writing off $6.2 billion from the useless acquisition of aQuantive in August 2007 gives me pause for thought.

How bad is this company at acquisitions? Particularly those under CEO Steve Ballmer’s watch. He became CEO in January 2000.


Microsoft acquired Danger in February 2008 for $500M. Small relative to the aQuantive acquisition, but how much further money did the company burn transforming Danger from an excellent cloud and mobile company to the group that came up with Kin, the phone withdrawn from the market after just two months on sale? Not to mention the downtime and threatened loss of data suffered by Danger’s online service under Microsoft’s stewardship.

Microsoft attempted to buy Yahoo for $44.6bn in 2008. Yahoo’s executives declined, a move that was (very) bad for Yahoo shareholders but quite possibly right in a business sense; it would not have been a good fit.

Microsoft acquired Groove Networks complete with Notes inventor Ray Ozzie in March 2005. I put this in the disaster category. Groove went nowhere at Microsoft. Ozzie became Chief Software Architect and talked of internet vision but did not deliver. The wretched SharePoint Workspace is apparently based on Groove.

What about the good ones? My view is that Microsoft paid too much for Skype at $8.5 billion but at least it acquired a large number of users and has some chance of enhancing its mobile offerings with Skype integration.

Microsoft acquired Bungie in 2000 and given the success of Halo (without which, maybe, the whole Xbox project might have faltered) we have to count that a success, even though Bungie was spun off back to independence in 2007.

Other notables include Great Plains in December 2000 (now morphed into Dynamics ERP); Connectix in February 2003 which got Microsoft started in virtualization; and Opalis in December 2009 whose software now plays a key role in Microsoft’s System Center 2012 private cloud software.

Winternals in July 2006 was a great acquisition. Microsoft acquired some indispensable Windows troubleshooting tools, and also Mark Russinovich and Bryce Cogwell, able people who I suspect contributed to the transformation of Windows Vista into Windows 7, and in the case of Russinovich, to the technology in Windows Azure which now seems reborn as an excellent cloud platform.

You can see all Microsoft’s completed acquisitions here.

(If the company would like to acquire itwriting.com for a few billion I am willing to talk.)