I had just woken this morning when I encountered my first surprise of the day: I had received a pleasant mail from Microsoft telling me that the password of my Skype had been successfully reset. At first I thought it was some sort of a bad joke, maybe a kind of phishing attempt but after analyzing the mail header and checking my Skype account it appeared to be true.
Here is a copy of the original email (Sorry it is in French):
As we can see, the person behind that extremely bad joke managed to change the password and associate email address. The first question that arose was: how the hell did he do that ?
- Was I compromised ?
- Was I the victim of a new Skype 0day vulnerability ?
- Was this simply an unknown bug in Skype ?
Immediately I checked all my computers connected to this account. I used third party programs for deep analysis and logs analysis. Nothing strange could be found so nobody managed to steal my personal data and/or my passwords.
So how did he manage to change the password? He simply used the weakness of Skype password recovery system ietself.
To do a such thing you must know few bit of information :
- Target email address
- Few target skype contact accounts
- His billing email if used.
I will not go high in details because the goal of this article is not to demonstrate to script kiddies how to have fun but to achieve a such thing you simply need to request a new password to Skype support and asking to change the password because you just forgot your email and your password (lol).
After that initial step you will need to proof you are the real owner of the account. You must give 5 contacts accounts to the support desk. That’s easy because you just have to add 5 fake temporary accounts to the target account and its done. Another option is to simply ask the intended victim which people he knows on Skype. That option wasn’t that hard because I have over 1000 contacts. Finally if you use payment for Skype credits, Skype support will request for the mail used to pay. O wait. It is the same email account.
A few moments later you are the new owner of the Skype account.
The more I think about it, the more I’m convinced that security is a big joke at Microsoft, the owners of Skype. I seems that the largest IT-company in the world has created a huge security mess. They are easy to Socially Engineer (aka Manipulate Humans) and their password system is so weak than anybody everywhere – rich and poor, the powerful and the not so powerful – could get their Skype accounts compromised in just a few clicks. It could happen tomorrow, it could happen today or it might already have happened.
In my case the hacker asked to all my contacts with an automatic message for some Liberty Reserve money. Most of them trust me and my account, so they were inclined to accept. Fortunately the hacker decided to give me back the account before Microsoft did – maybe because I had his real personal information.
Notice that this person could potentially spread via my compromised account phishing attempts or infect my system or those of my contacts with some type of malware without any problems. In hindsight it was fortunate that the goal of this guy was simply to get some money to pay his bills.
As I previously said I manage to get his personal information but I will not post that information online because the perpetrator decided to return my account back to me.
I will of course contact Microsoft to report this serious security issue. In my view this is a critical oversight that needs to be remedied quickly.
Also Microsoft’s Support Team should make a serious effort to communicate better to their customers. At the moment they do not seem to care that much about their customers. I myself am a good client for Microsoft and Skype because I have spent a lot of money buying their professional systems.
Skype will fully replace Windows Live and that means that more and more people will start using Skype and that makes the problem even worse because more will fall victim to this problem I described above.
Note this identity spoofing is not the only security problem of that Microsoft Service. Many months after it was reported to Microsoft, Skype still suffers from a Network Weakness which can reveal your real IP Address to anybody to face to some DDoS attacks and related weak but efficient piracy methods.
I also hope to see very soon a system like Google uses and which sents you an SMS to your personal phone before changing anything. It’s system that Facebook also incorporated.
~ Jean-Pierre LESUEUR
Greets to TrojanForge security experts and friends that help me to acknowledge how all of this was done.