Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2012.0159 Skype Account Hijack Vulnerability 15 November 2012 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Skype Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Access Privileged Data -- Remote/Unauthenticated Resolution: Mitigation Member content until: Saturday, December 15 2012 Comment: Proof of concept code has been published for this vulnerability however the issue is now resolved. OVERVIEW Skype have fixed a security issue with the password reset functionality on their website. IMPACT According to SANS, the bug "would have allowed anyone to hijack a Skype account simply by knowing the e-mail address the account was associated with". [1] MITIGATION Prior to the bug being fixed, the only known mitigation was to create an entirely new account with an obscure, unknown email address. [2] Skype has since updated the password reset functionality and is getting in contact with affected users. [3] REFERENCES [1] Skype account hijack vulnerability fixed http://isc.sans.edu/diary.html?storyid=14512&rss [2] Skype vulnerability makes hijack childs play http://countermeasures.trendmicro.eu/skype-vulnerability/ [3] Reported Security Issue - RESOLVED http://heartbeat.skype.com/2012/11/security_issue.html AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUKRduu4yVqjM2NGpAQI5RA//ZOf41J/27jdALZyLXPlS4SuO5lBE4h3K Qqpy1vkZ+ckLKcUkam0zZCGU5WfoFS0elmx3/JT+iZFIAUiQ6iEgSBkMgT70Fq/s /wqB4nFqHbZl4LPRPkDJqjgGwkELhG+xvGbfudid7ylWgH2GCED6/ZizHTLN4cGi eDm2uxddaBmO67KKqEBDjLq5GHaM8pqFxa1smg+QijQxqx5csxv1ayH+pq1j9TUY CpajCchD8RVPIWijheet+F5l4Q9k8ycmRfN/C1EqLEvPCxW9Lu+wEiHj8270k38N gFLiAqurofH7T1fy0QuW4TkHhaIyIGXM7smjcJO+QU/RHY6Zknw2dug+LS+IMXNF eSEPD1Tz/W8GB0HvQZrGJHbXAjduhrLx1q6pMCJS6o2zkH4AK3k0znWpbjtWVyNg VCw4KyT8b1+2YMLc8JvIs9W944vwYNiYPpWHMI6jAjsgAJX6YUTI6zkDXQvJQsSK iuqT+Tdsogc+/kHCvhKku5Ha5adnUxMAq2zU3alTGRCeF9WeWyWlociuHbbmgpFy 61bCJl7/ChwwNGIG+NiajFnyRtP3v2e27CO20LJY/Dj0CEAvwSyn1B5kadp7am3Z vxgEZ66RKU5rvx8CATosxsJZ1SupeEpRjiyajQKiglSeqKJ72edu6+Nm1PaWaum5 Nig74jdafsI= =otgs -----END PGP SIGNATURE-----