By Richard Adhikari
TechNewsWorld
View the Original article
TechNewsWorld
Skype has fixed a flaw that allowed a hacker to hijack legitimate accounts using only the account owner's email address. The issue was a hole in the process for resetting a user's password, said Brian Laing, director of U.S. marketing and products at AhnLab. "This is something Skype should not have allowed."Skype on Wednesday fixed a vulnerability that allowed users' accounts to be hijacked using the password reset process.
The vulnerability was published two months ago on the Russian site Xeksec.
Skype has fixed the problem by updating the password reset process.
How the Hack Worked
To exploit the vulnerability, all a hacker needed to know a victim's email address. By entering that address on Skype's sign-in page, hackers would receive a warning that an account with that email address already exists.
The hacker could then create a new Skype account tied to another email address and Skype would email a reminder of the original username associated with that account. It would also send a password reset token that could be used to freeze out the actual owner of the Skype account.
From there, the hacker could run the Skype application with the new credentials.
The vulnerability has been publicized on several Russian forums and blogs, and was being actively exploited in the wild, Kaspersky Labs said.
Who Got Hit
The vulnerability affected some users with multiple Skype accounts registered to the same email address.
Skype suspended the password reset feature temporarily on Wednesday morning prior to updating the process and is reaching out to a small number of users who may have been impacted.
Skype declined to provide further details.
Logic Problems
The Skype vulnerability is an example of a flaw that emerges "due to inherent logic issues in the overall system, which do not typically require any custom code to exploit," said Brian Laing, director of U.S. marketing and products at AhnLab.
"Given that this is a process issue, the coding change to resolve
View the Original article
No comments:
Post a Comment