Password Reset Zero-Day Reported to Skype Since October (Updated)
Vulnerability Lab provided the vulnerability's details to the company a long time ago
The details of a zero-day vulnerability that allows attackers to change the password of any Skype user have been posted on a Russian hacking forum. A similar security hole was identified by Vulnerability Lab researchers and it was reported to Skype at the beginning of October.The Next Web, which was the first to publicly reveal the existence of the flaw, reports that its details have been posted on the forum some two months ago.
The vulnerability can be leveraged to gain access to any account only by knowing the target’s username and email address.
The Vulnerability Lab told Softpedia about the existence of a similar issue back in October and they provided us with all the technical details, including a video proof-of-concept.
They asked us to hold back on publishing the article until Skype addressed the issue that was caused by an “unsanitized request.” However, at the time, Benjamin Kunz Mejri, the founder of Vulnerability Lab, revealed that all the details of the vulnerability were given to Skype on October 7.
Initially, we believed that the vulnerabilities might have been one and the same, but Mejri explained that the exploit he identified relied on a different authentication flaw.
In the meantime, Skype has disabled the password reset system to mitigate attacks that leverage it.
“We have had reports of a new security vulnerability issue. As a precautionary step we have temporarily disabled password reset as we continue to investigate the issue further. We apologize for the inconvenience but user experience and safety is our first priority,” Microsoft representatives stated.
We’ve reached out to Microsoft to see if they can provide further clarifications regarding the similarities between the two bugs.
Update. The article has been updated to clarify that the issue identified by Vulnerability Lab is different than the one found on the Russian forum.
Update2. Microsoft has confirmed that the security hole reported by Vulnerability Lab is different than the one identified by TNW on the Russian forum.
The new issue affected users that had multiple Skype accounts registered to the same email address. The problem was addressed after the company made some updates to the password reset process.