11.14.12
Gemini version available ♊︎Skype Cracked, All User Accounts Are Vulnerable (Updated)
Summary: A Russian site explains how to take over any account
According to this, Microsoft Skype gets the very basics wrong:
Here’s the original link where I’ve read about this (in Russian) – http://habrahabr.ru/post/158545/
with multiple people in the comments confirming it works and also reporting their accounts were stolen.
Here’s how it works:
Sign up for a new Skype account. Use the victim’s email. A warning will come up that an account with that email already exists, but you can still proceed with filling out the form and account creation.
Log in to the Skype client with your new account.
https://login.skype.com/account/password-reset-request – request a password reset using the victim’s email.
You will get a password reset notification and token in your skype client. Follow the link to pick the victim’s account and reset the password.
It appears the only way to safeguard yourself for now is to change your main Skype account email to one that’s not publicly known.
There are many good reasons to avoid Skype and many good alternatives. The other day a Pidgin developer complained about the secret messaging protocols of Skype. These are deliberately non-interoperable. Since Microsoft moves its IM services to Skype, this will only become a greater issue. █
Update: Flaw confirmed by Microsoft