Skype 0-day vulnerability allowed hackers to change the password of any account(20100706 Youjin Lee) - 20th
by You Jin Lee - Monday, 26 November 2012, 7:58 AM
 
1. Summary of news
Security researchers found a 0-day vulnerability on Skype, which allows hackers to reset the password of any account. Attacker can tamper the request to reset password, or even bypass the token authentication process.

2. Vulnerabilities
There are two main vulnerabilities: bypassing token protection by tampering session data, or bypassing token_expire protection of password reset request. Attacker can compromise the authentication request, which is limited only to the account session with 'intercape' parameter. Since it is not sanitized, attacker can change it simply with a session tamper tool. 
The second is a session token bypass flaw. It is much simpler: just change the token_expire parameter with the 1 value to 0 in the password recovery notification email. Even if the link is expired, attacker can reuse the link and get a valid link again from the expired session.

3. Conclusion
After the report of this problem (and another authentication issue below), Skype temporarily disabled the password change page and now it seems to be repaired. Skype should have checked the existence of unsanitized request, and it is not a complicated method to Skype, which is a proprietary VoIP service company. This case shows that simple checking failure can make a horrible security problem.

4. References
https://twitter.com/vuln_lab/status/269343182544838656
(Vulnerability Lab originally provided detailed information of this issue, but the link above is broken.)
http://news.softpedia.com/news/Skype-0Day-Vulnerability-Allowed-Hackers-to-Change-the-Password-of-Any-Account-Video-307672.shtml
http://news.softpedia.com/news/Skype-Password-Reset-Zero-Day-Reported-to-Skype-in-October-306835.shtml
(The article in Softpedia also includes youtube video PoCs of this security issue.)

- see also:
Right before the report of this security hole, Skype also suffered another password related security problem reported by a Russian hacker. All attacker needs is the email address of the victim, and the steps are super simple. This issue and the problem above are now fixed. If you want to read about it, see this:
http://www.reddit.com/r/netsec/comments/13664q/skype_vulnerability_allowing_hijacking_of_any/
http://pixus-ru.blogspot.kr/2012/11/hack-any-skype-account-in-6-easy-steps.html
http://thenextweb.com/microsoft/2012/11/14/security-hole-allows-anyone-to-hijack-your-skype-account-using-only-your-email-address/?fromcat=all