Skype fixes account hijacking vulnerability
Posted on 14 November 2012.
Bookmark and Share
Skype has temporarily disabled its password reset function while it was investigating reports about a vulnerability that has been misused to hijack users' accounts, but the function is now available again as they claim to have fixed the problem.


The attack was easy to execute - the only thing the attacker needed was the email address the victim had used to open his Twitter account.

Armed with this information, the attacker could have used the same email address to open another account, then request a password reset. With the password reset token, which is sent to the attacker's Skype client, he could enter the victim's account and lock him out.

According to the BBC, the details about the vulnerability have been posted two months ago on a Russian forum, but have remained unknown to the general populace until they were shared on Reddit.

The attack was reproduced both by The Next Web and heise Security, and Skype has been notified about the existence of the flaw.

"We are reaching out to a small number of users who may have been impacted to assist as necessary," shared Skype engineer Leonas Sendrauskas.






Spotlight

Attackers use reflection techniques for larger DDoS attacks

Posted on 17 April 2014.  |  Instead of using a network of zombie computers, newer DDoS toolkits abuse Internet protocols that are available on open or vulnerable servers and devices. This approach can lead to the Internet becoming a ready-to-use botnet for malicious actors.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Apr 18th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //