Skype account hijack hole patched

By on
Skype account hijack hole patched

Recovery function leads to account ownage.

Researchers have identified a critical flaw in Skype that allow remote attackers to reset user accounts .

The now patched flaw resided in the Skype website recovery account function and could be exploited without the need for user interaction.

It was separate to the password recovery vulnerability discovered last week on a Russian hacking forum which Skype has since fixed.

Vulnerability Lab chief executive Benjamin Kunz Mejri told SC that attackers could compromise and infiltrate targeted or random Skype accounts, read messages and change user details.

He said an authorisation request within Skype's recovery function was not sanitised.

"The critical application vulnerability is located in the recovery account function of the Skype account service application. In the recovery function is an auth request bound to the account session using the json form with jquery and the value of the intercape. The request itself is not sanitised. The value only checks if exist and if empty but [does] not validate the context again. The attacker can bypass the token protection via live session tamper to reset any account by exchanging the values local to his own."

"Exploitation requires `processing to request` via jquery implement JSon form request. It is only possible to manually exploit the remote vulnerability by using a session tamper tools like tamper data. A remote attacker can, for example bypass the token protection with values like “*/+[New Account Details] or [New Account Details]+/*“ to reset random Skype application accounts or infiltrate specific chosen account by changing usernames or passwords."

Kunz Mejri uploaded a proof of concept video to demonstrate the flaw.

Required for exploitation:
[+] Tamper Data or other live tamper software
[+] Web browser
[+] A random registered Skype user account

Exploitation techniques:
[+] Bypass the Skype recovery Page (request tamper) to new password or reset
[+] Bypass token protection via not empty value with positive values to match
[+] Hold the request via tamper include own values to setup the new password

Next Step(s):
[+] Decode CAPTCHA and send automatic values -> account service (remote exploit)


Got a news tip for our journalists? Share it with us anonymously here.

Copyright © SC Magazine, Australia

In Partnership With

Most Read Articles

Log In

Username / Email:
  |  Forgot your password?