Do we need stronger email addresses?

Posted by   Virus Bulletin on   Nov 14, 2012

Skype vulnerability allowed for account hijacking using only email address.

A worryingly trivial vulnerability in VoIP service Skype became public this morning, which allowed anyone to take over a user's Skype account using nothing but the email address linked to the account.

The method - which was posted on Russian underground forums a few months ago and allegedly used to hijack the account of the Russian opposition leader - consisted of creating a new account using the email address that was used by the victim to create their account. While Skype gives a warning that the address is already in use, it does not prevent the new account being created; the email address is never verified. Once an account had been created, the attacker only had to log into Skype and request a password reset using a web browser, which resulted in the Skype interface displaying a one-time password that allowed the attacker to take over the victim's account.

Skype's owner Microsoft responded quickly when the vulnerability was made public, and closed the link between the password reset in the web browser and the Skype interface; indeed, we were not able to reproduce the method. However, account creation using a previously used email address is still possible.

While vulnerabilities like this - that don't require any technical knowledge to exploit - are rare, account hijacks based solely on the knowledge of an email address linked to the account are not unique: many high-profile cases of account compromises have shown that such knowledge helps a great deal in attacks using social engineering. Users would thus do well to consider using a unique, hard-to-guess email address for important accounts: password reset features have long been known to be a security weakness, so making it harder to have a password reset is a sensible thing to do.

In the meantime, we hope that Microsoft will make new Skype accounts verify the email address linked to the account, regardless of whether the address has been used before. Currently, Skype's ability to search users by their email address makes it easy to impersonate someone on the service - the fact that we were able to create a Skype account using Bill Gates's email address and then find him using a search on that address is a little worrying.

More at Kaspersky's Securelist blog here with the official statement from Microsoft here.

Posted on 14 November 2012 by Martijn Grooten



Latest posts:

In memoriam: Prof. Ross Anderson

We were very sorry to learn of the passing of Professor Ross Anderson a few days ago.

In memoriam: Dr Alan Solomon

We were very sorry to learn of the passing of industry pioneer Dr Alan Solomon earlier this week.

New paper: Nexus Android banking botnet – compromising C&C panels and dissecting mobile AppInjects

In a new paper, researchers Aditya K Sood and Rohit Bansal provide details of a security vulnerability in the Nexus Android botnet C&C panel that was exploited in order to gather threat intelligence, and present a model of mobile AppInjects.

New paper: Collector-stealer: a Russian origin credential and information extractor

In a new paper, F5 researchers Aditya K Sood and Rohit Chaturvedi present a 360 analysis of Collector-stealer, a Russian-origin credential and information extractor.

VB2021 localhost videos available on YouTube

VB has made all VB2021 localhost presentations available on the VB YouTube channel, so you can now watch - and share - any part of the conference freely and without registration.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.