I changed Josh’s, locking him out of the account and letting me in. Having done all that, I could see my username for Josh’s account, and Josh’s username (for the first time – note, I had no idea what it was until this point) for his account, as well as change the password for whichever I pleased. Then, minus a couple of key steps, you can use a password reset token to gain access to your target’s account. Essentially, that email address is used to create a new account with your own email address tied to it. We reproduced the attack, step-by-step, and managed to access the Skype accounts of TNW writer (with permission) Josh Ong (as well as editor Matt Brian to verify again) with only their email addresses. To protect yourself, you would have to change your email address to one that nobody knows or could easily guess, but most likely Microsoft will get around to fixing the problem before that becomes necessary. To exploit this flaw, all you need to know is your victim’s email address tied to their Skype account. The company has informed us it is currently conducting an internal investigation. We’ve been in touch with Skype over the past few hours to give them a chance to address this vulnerability. Kype appears to have pulled its password reset page, stopping this flaw in its tracks (Confirmed, read below for details). The issue was first posted on a Russian forum two months ago and has been confirmed by The Next Web (we have not linked to any of the blogs or posts detailing the exploit because it is very easy to reproduce). A new security hole has been discovered in Microsoft’s Skype that allows anyone to change your password and thus take over your account.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |