Feeds

back to article Skype IDs hijackable by ANY FOOL who knows your email address

A vulnerability in Skype allows anyone to hijack its users' accounts just by knowing or guessing a punter's registered email address. The embarrassing security hole, which is trivial to abuse, was first discussed on a Russian underground forum three months ago. Last night a Russian blog publicised the bug, and details of the …

COMMENTS

This topic is closed for new posts.
Anonymous Coward

And they only just worked that one out....

It's been known about for months.....

5
5
Silver badge

Three months...

...if the article is anything to go by.

8
4
Silver badge
FAIL

Re: Three months...

How the hell is that worth a downvote? It says it in the article FFS!

6
4
Anonymous Coward

Re: Three months...

"How the hell is that worth a downvote? It says it in the article FFS!"

Waaah! Waaah! Someone downvoted me!

You poor thing. Have a wowwipop ...

5
17
Silver badge

Re: Three months...

No to worried about downvotes to be honest (check out some of my other posts).

I just don't follow how pointing out the timeline specifically mentioned in the article can be disagreed with.

I'm confused, not upset.

7
3
Anonymous Coward

Re: Three months...

"I just don't follow how pointing out the timeline specifically mentioned in the article can be disagreed with."

Who said they DV'd you because they disagreed? Maybe the DV was because you were only repeating the content of the article?

Not that I've down or upvoted any posts in this thread.

1
6
Bronze badge

Re: Three months...

Based on the flurry of downvotes for all of the early comments on this article, I assume some readers just don't like comments.

0
0
Boffin

And this is why services should allow '+' on the left hand side of the '@' ... then even if you don't want to use auto-tagging or filtering, at least you can make the address unique to the service. Handy if they leak your data too...

4
1

This post has been deleted by its author

Silver badge
Unhappy

Gmail (to name one) does this, I am not sure about others. It also allows you to put a random "." anywhere in the localpart. The big problem with using a "+" is that most sites reject it, when it is in fact valid.

Are you a web dev? Read this, now go and fix all your no doubt incorrect email validation. So many sites fail on the "+" it's depressing.

7
0

Or you should use a catch-all like everyone else

0
2

Re: Or you should use a catch-all like everyone else

If you like spam, egg, spam, spam, bacon and spam.

3
0
Anonymous Coward

@The BigYin

The RFC allows spaces and what are normally wildcard characters? Surely that would cause all manner of breakage?

0
2
xyz
Devil

Re: @The BigYin

The RFC allows numerous characters as long as the local side of the address is in double quotes. Most people code validating SMTP addresses don't understand this though. The Wikipedia "Email Address" entry covers this quite well.

2
0
Silver badge

Re: @The BigYin

Not if you are correctly handling the data. And that means not writing your own code, but using the widely available libraries for escaping etc. that exist for every major language. But you are quite right, if one has hired developers who just concatenct email addresses into SQL strings, then you will suffer.

The BigYin's maxim: If you think you know how to validate an email address, then you don't know how to validate an email address.

If there is some limitation, then that needs to be clearly documented and a proper error shown, not just crap like "Your address is invalid".

For example, I've worked on projects where we can't accept a backslash ("\") amongst other things in certain situations (not going into all the ins and outs of why - legacy is a bitch) - so we displayed a message along the lines of "The characters "\, £, and /" cannot be used in an email address". Clear, simple and let's the user know enough to use a different email (or call support and have a good moan).

2
0

Re: @The BigYin

> If there is some limitation, then that needs to be clearly documented and a proper error

> shown, not just crap like "Your address is invalid".

One major site did that to me recently. I eventually discovered that it didn't like the sequence 's','p','a','m' anywhere in my email address.

0
0
Silver badge
Thumb Up

This is fantastic!!!

Now THEY can talk to my Mother-in-law...

23
1
Anonymous Coward

Re: This is fantastic!!!

Based on the down vote, it looks like someone already has....

7
1
Silver badge

secret email address

WTF is a secret email address? Or did you you mean (as evidenced by the above posters) a unique-to-site email address.

0
2
Silver badge
Joke

Re: secret email address

Can't tell you, it's a secret.

2
0
Bronze badge
FAIL

And this is the replacement to Windows Messenger?

Fills me with real faith....

5
1
WTF?

Am I being stupid or...

is the real answer to send the password reset details to the email address being used (which presumably the hacker has no access to) rather than the Skype client?

3
0

"The embarrassing security hole"

Warning, understatement alert detected.

2
0

OTR

"it is also possible to download private chat logs for the compromised account" - This is why people should use OTR. If your IM provider doesn't have your chat logs, they can't leak them.

2
0
Big Brother

Whenever signing up for these things I always give the least amount of information where possible, and fill in fake details wherever needed. That's probably why both my skype accounts only have username/password associated with them.

0
0
This topic is closed for new posts.