Major vulnerability of Skype's password reset system has went public today.
The only thing you need to obtain full access to any Skype account is primary email of that account (the email which used when the Skype account been registered).
Following guide contains both - how to steal an account, and how to protect your account (scroll down for that).
Update 1 (November 14, 2:00am PDT): Skype made the
password reset system disabled. So link on the step 4 is not working for
me now (starting from November 14, 2 am PDT).
Update 2 (November 14, 6:00am PDT): Skype re-enabled the password reset system, but now it will not sent recovery token to attacker's client. The hole (gate, almost highway road) is closed.
For example, I know somebody's email - crackme33@yahoo.com , let's hack his Skype!
1. Go to the Skype website, register new disposable account. In email field, put target's email.
You will be redirected to login form:
You are all set!
P.S. I have changed primary email for that test accounts, so do not try hack them. Just in case. =)
To prevent that you need to change your primary email to some address, unknown to anyone.
To do that:
1. Sign in on skype website.
2. Go into the "profile" link (click to enlarge):
At the time there is no other way to protect your skype account, except changing of primary email to some unknown address.
Once account is stolen, it has ability to retrieve all your IM history from other peers.
If you already lost your account, contact to all your necessary contacts and tell them to remove you from their contact list. It prevents IM history interchange (if it is not already happened).
There is how mailbox of target looks like:
Thus target will receive notifications regarding password change, but initial owner have less than one minute to understand and take action, it is almost impossible to login into skype website, change emails, when a hacker already there.
The only thing you need to obtain full access to any Skype account is primary email of that account (the email which used when the Skype account been registered).
Following guide contains both - how to steal an account, and how to protect your account (scroll down for that).
Update 2 (November 14, 6:00am PDT): Skype re-enabled the password reset system, but now it will not sent recovery token to attacker's client. The hole (gate, almost highway road) is closed.
For example, I know somebody's email - crackme33@yahoo.com , let's hack his Skype!
1. Go to the Skype website, register new disposable account. In email field, put target's email.
If the email, you typed into form, attached to some skype account, then
it will say that "You already have a Skype account", that means you can
hack it!
So, complete the form, provide some fake BOD, gender, country, answer to
question "How do you intend to use Skype?" as personal, fill any skype
name (REMEMBER IT), it will give you some suggestions of not taken ones,
assign some password (REMEMBER IT), solve the captcha, proceed forward
- push the continue button.
You will be redirected to you new account dashboard. Logout from it.
2. Run the Skype application with those new credentials.
3. Since we just logged in to a fresh account, at home screen of the
Skype application, there will be advertisement "Find your friends and
say hello", click somewhere to bring focus on that part of screen (I
clicked where the red cross is drawn):
Then push F5 button on your keyboard, it will refresh the home
screen. Do that 3-4 times until you see "Bring your Facebook friends
into Skype" advertisement. Click "No thanks, blah-blah-blah".
You will get the home screen with some banner.
4. Go to Skype's password reset system.Put the target's email. In my case - crackme33@yahoo.com .
Click "Submit button", and after several seconds, you will see Skype's pop-up notification - "Password token".
5. Go to Skype application, on the home screen you will see Password token, click on "more info", go to "temporary code link":
6. Browser will open page, where you can select any skype account
registered to target email, in my case there are two account - my
disposable and target:
Choose target's account and click "Change password and sign me in":
You are all set!
P.S. I have changed primary email for that test accounts, so do not try hack them. Just in case. =)
How to protect your accounts
You already changed password for the target account, know the skype login, and able to use that target skype account. But somebody could take it back from you, just as you did (owner for example).To prevent that you need to change your primary email to some address, unknown to anyone.
To do that:
1. Sign in on skype website.
2. Go into the "profile" link (click to enlarge):
3. On account information, go down, to "Contact details", click "Add email address":
4. Add your email address, which unknown to anybody, but you:
Click save button at the bottom of the form. After page reload, refresh
page again to prevent some strange glitches of the site (if you will not
reload the page, after you do following steps, it will forget steps 4
and 5 and discard that little work).
5. Scroll to Contact details again. Click on "Add email address" again. Switch primary email to the new one:
Click "Save" button at the bottom of the form, again.
It will ask you for your password. You know it already. Type password and click button by mouse, not by "Enter" key.
After page reload, refresh page again to prevent some strange glitches of the site (described above).
6. Scroll to Contact details again. Click on "Add email address" again.
Delete (with backspace and/or delete buttons) all emails but primary:
7. Click "Save" button at the bottom of the form. Make sure all your
changes applied (it sometimes require two or more attempts, since the
site is developed by curly-handed programmers).
8. Tell to friends how to protect a skype account. ASAP
Once account is stolen, it has ability to retrieve all your IM history from other peers.
If you already lost your account, contact to all your necessary contacts and tell them to remove you from their contact list. It prevents IM history interchange (if it is not already happened).
There is how mailbox of target looks like:
Thus target will receive notifications regarding password change, but initial owner have less than one minute to understand and take action, it is almost impossible to login into skype website, change emails, when a hacker already there.
Disclaimer: The information provided on in this blog is to be used
for educational purposes only. The blog author is in no way responsible
for any misuse of the information provided.