Modernizing Authentication — What It Takes to Transform Secure Access
In a recent blog post, French developer Jean-Pierre Lesueur, a.k.a. DarkCoderSc, contended that it's disturbingly easy to trick Skype support into providing you with access to any Skype account (h/t The Hacker News).
On April 10, Lesueur writes, he received an e-mail from Microsoft telling him his Skype password had been successfully reset. He first checked his computers to make sure they hadn't been compromised, but found nothing -- and realized the attacker had simply leveraged weaknesses in Skype's own password recovery system.
All you need to know in order to commandeer a Skype account, Lesueur says, is the target's e-mail address, a few of the target's Skype contacts, and the target's billing e-mail address (if applicable).
"I will not go high in details because the goal of this article is not to demonstrate to script kiddies how to have fun but to achieve a such thing you simply need to request a new password to Skype support and asking to change the password because you just forgot your email and your password," Lesueur writes.
In his case, Lesueur writes, the hacker had used his access to send all of Lesueur's contacts a message asking for money. "Most of them trust me and my account, so they were inclined to accept," he writes. "Fortunately the hacker decided to give me back the account before Microsoft did -- maybe because I had his real personal information. Notice that this person could potentially spread via my compromized account phishing attempts or infect my system or those of my contacts with some type of malware without any problems."
Looking ahead, Lesueur says he hopes that Microsoft will implement "a system like Google uses and which [sends] an SMS to your personal phone before changing anything."