back to article Skype IDs hijackable by ANY FOOL who knows your email address

A vulnerability in Skype allows anyone to hijack its users' accounts just by knowing or guessing a punter's registered email address. The embarrassing security hole, which is trivial to abuse, was first discussed on a Russian underground forum three months ago. Last night a Russian blog publicised the bug, and details of the …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    And they only just worked that one out....

    It's been known about for months.....

    1. The BigYin

      Three months...

      ...if the article is anything to go by.

      1. The BigYin
        FAIL

        Re: Three months...

        How the hell is that worth a downvote? It says it in the article FFS!

        1. Anonymous Coward
          Anonymous Coward

          Re: Three months...

          "How the hell is that worth a downvote? It says it in the article FFS!"

          Waaah! Waaah! Someone downvoted me!

          You poor thing. Have a wowwipop ...

          1. The BigYin

            Re: Three months...

            No to worried about downvotes to be honest (check out some of my other posts).

            I just don't follow how pointing out the timeline specifically mentioned in the article can be disagreed with.

            I'm confused, not upset.

            1. Anonymous Coward
              Anonymous Coward

              Re: Three months...

              "I just don't follow how pointing out the timeline specifically mentioned in the article can be disagreed with."

              Who said they DV'd you because they disagreed? Maybe the DV was because you were only repeating the content of the article?

              Not that I've down or upvoted any posts in this thread.

        2. Michael Wojcik Silver badge

          Re: Three months...

          Based on the flurry of downvotes for all of the early comments on this article, I assume some readers just don't like comments.

  2. Tom Chiverton 1
    Boffin

    And this is why services should allow '+' on the left hand side of the '@' ... then even if you don't want to use auto-tagging or filtering, at least you can make the address unique to the service. Handy if they leak your data too...

    1. This post has been deleted by its author

    2. The BigYin
      Unhappy

      Gmail (to name one) does this, I am not sure about others. It also allows you to put a random "." anywhere in the localpart. The big problem with using a "+" is that most sites reject it, when it is in fact valid.

      Are you a web dev? Read this, now go and fix all your no doubt incorrect email validation. So many sites fail on the "+" it's depressing.

      1. Anonymous Coward
        Anonymous Coward

        @The BigYin

        The RFC allows spaces and what are normally wildcard characters? Surely that would cause all manner of breakage?

        1. xyz Silver badge
          Devil

          Re: @The BigYin

          The RFC allows numerous characters as long as the local side of the address is in double quotes. Most people code validating SMTP addresses don't understand this though. The Wikipedia "Email Address" entry covers this quite well.

        2. The BigYin

          Re: @The BigYin

          Not if you are correctly handling the data. And that means not writing your own code, but using the widely available libraries for escaping etc. that exist for every major language. But you are quite right, if one has hired developers who just concatenct email addresses into SQL strings, then you will suffer.

          The BigYin's maxim: If you think you know how to validate an email address, then you don't know how to validate an email address.

          If there is some limitation, then that needs to be clearly documented and a proper error shown, not just crap like "Your address is invalid".

          For example, I've worked on projects where we can't accept a backslash ("\") amongst other things in certain situations (not going into all the ins and outs of why - legacy is a bitch) - so we displayed a message along the lines of "The characters "\, £, and /" cannot be used in an email address". Clear, simple and let's the user know enough to use a different email (or call support and have a good moan).

          1. Phil Endecott

            Re: @The BigYin

            > If there is some limitation, then that needs to be clearly documented and a proper error

            > shown, not just crap like "Your address is invalid".

            One major site did that to me recently. I eventually discovered that it didn't like the sequence 's','p','a','m' anywhere in my email address.

    3. Darkimmortal

      Or you should use a catch-all like everyone else

      1. Anonymous Coward 15

        Re: Or you should use a catch-all like everyone else

        If you like spam, egg, spam, spam, bacon and spam.

  3. NoneSuch Silver badge
    Thumb Up

    This is fantastic!!!

    Now THEY can talk to my Mother-in-law...

    1. Anonymous Coward
      Anonymous Coward

      Re: This is fantastic!!!

      Based on the down vote, it looks like someone already has....

  4. Anonymous Coward
    Anonymous Coward

    secret email address

    WTF is a secret email address? Or did you you mean (as evidenced by the above posters) a unique-to-site email address.

    1. The BigYin
      Joke

      Re: secret email address

      Can't tell you, it's a secret.

  5. GitMeMyShootinIrons
    FAIL

    And this is the replacement to Windows Messenger?

    Fills me with real faith....

  6. apjanes
    WTF?

    Am I being stupid or...

    is the real answer to send the password reset details to the email address being used (which presumably the hacker has no access to) rather than the Skype client?

  7. chiller

    "The embarrassing security hole"

    Warning, understatement alert detected.

  8. Mike Cardwell

    OTR

    "it is also possible to download private chat logs for the compromised account" - This is why people should use OTR. If your IM provider doesn't have your chat logs, they can't leak them.

  9. crayon
    Big Brother

    Whenever signing up for these things I always give the least amount of information where possible, and fill in fake details wherever needed. That's probably why both my skype accounts only have username/password associated with them.

This topic is closed for new posts.

Other stories you might like