Today was a bad day for Skype Microsoft: A vulnerability was discovered on the Skype website which allowed an attacker to hijack the account of a Skype user. The Skype client itself (the software) is not affected. When successfully performed, the account was not only stolen but, worse, it looks like it was possible to get back (download) the converstations from the victim’s contact if they were online at that time – with a potential disclosure of sensitive information! This attack was possible using the “reset password” feature present on the Skype website (and like on most modern websites). This is clearly a problem in the design of the application. Hopefilly, Microsoft reacted promplty and disabled this feature to prevent more and more accounts to be hijacked. This could be very annoying for people who will need to reset their password but mandatory.
To successfully hijack a Skype user, the first step is to sign-up for a new account using the victim’s registered e-mail address… The flaw resides in the fact that the warning about the existing account can be ignored and  the attacker is allowed to continue the process of the rogue account creation. What’s more easy to find than a valid e-mail address? Often people use the same one accross multiple services and they can be easily guessed:
- firstname.lastname
- f.lastname
- firstname.l
- nick
- Â …
Your addresses are available everywhere in forums, mailinglist archives! For years (really?), security awareness campaigns target people and their passwords: “Use strong and unique passwords“.  But what about e-mail addresses? Do we really manage them safely? Of course, we can use temporary addresses for a one-shot access to a resource (Example: $VENDORS who try to get you in their marketing lists before download a white-paper or a report). There are plenty of services on the Internet which offer disposable addresses, personally I like http://guerillamail.org/. But, to create an account for a permanent service, a real address is needed. Don’t panic, they are ways to protect your addresses:
First scenario, you are the lucky owner of your personal domain name with MX records, it’s easy to create multiple e-mail addresses which will point to your main one. You can also create a sub-domain to classify them easily. In my case, I’m often using “something(at)nospam(dot)rootshell(dot)be“.
If you are a Google Mail user, they have a cool option for you: Add “+something” to your me@gmail.com address. Example: “me+idonttrustthissite@gmail.com“. You can create one address per site you want to register. This will make your addresses less easily guessable and unique! This is not a hack provided by Google, other free email providers support this feature described in the RFC5233Â (“Sieve Email Filterting: Subaddress Extension”).
There is nothing brand new in this quick blogpost. But, if a major online service like Skype suffered of a problem involving e-mail addresses, I’m pretty sure that they are many more in the same case. That’s a good opportunity to remind that your e-mail addresses like your passwords must be properly handled and secured!
i have been using ‘strong email addresses’ for some 6+ years now but my preference is for using mailnull and spamgourmet.
the gmail trick leaks too much information about the root email address – maybe not an issue for defending against this specific attack, but strong unique email addresses are also good anti-spam and anti-phishing defenses and the gmail trick is less useful there.
as for using your own domain, i actually do own my own domain but there are times when i want to create a new ‘strong’ email address when i’m not on a computer i trust and so i’d rather log into something less valuable (like a disposable email provider site).
RT @xme: [/dev/random] Are You Using Strong E-mail Addresses? http://t.co/kv4PjBwX