Thursday, November 15, 2012

Skype fixes password security vulnerability

Skype has worked out a solution to a vulnerability that allowed one to take control of someone’s Skype account by simply creating a new Skype account using the e-mail address of the targeted one and resetting the password thereon. CNET reports that since users tend to use the same e-mail address for a variety of services, the loophole meant that it was possible for the person to reset passwords for all those too, potentially keeping the original user out of the reach of those accounts. The e-mail and password loophole, upon being discovered led to Skype temporarily cutting off access to the password reset page, as a preventive measure. 

Soon after, in an official blog post, Skype shared that it was informed of user concerns pertaining to the security of the password reset feature. It admitted that the issue impacted some users where multiple Skype accounts were registered to the same email address. “We suspended the password reset feature temporarily this morning as a precaution and have made updates to the password reset process today so that it is now working properly.” Skype confirmed that it is reaching out to a small number of users who may have been affected, to assist them as necessary.
Bug allowed someone to gain control over someone else's Skype account

Recently, the Voice over Internet Protocol (VoIP) service, Skype was affected by spam in India, and users in the country are being asked to exercise caution. The government issued an advisory informing Skype users of the malicious spam campaign. 

"A malicious spam campaign is on the rise targeting Skype users by sending instant message which appears to come from friends in the Skype contact list," the advisory reads. The Computer Emergency Response Team (CERT-In) under the Communications and Information Technology ministry shared that the malware was adept at gaining control of the victim's machine by opening a backdoor and communicating to a remote http server. 

Cyber security experts unearthed that the malware-ridden content has been found "lurking in the vicinity of cyber networks of Indian users who use this popular Voice-over Internet Protocol (VoIP) service". The malware has been reported to steal user details, fuelling click fraud activity, while also posing as ransomware. 

As a measure of caution, the advisory has asked Skype users in the country to "not follow unsolicited web links or attachments in Skype messages and install latest security updates to Skype". The advisory adds that users should download the latest version of Skype from trusted sources. To secure themselves further, users should install and maintain updated anti-virus software on gateways and desktops. The advisory stresses on the need to maintain caution when opening attachments, accepting file transfers, clicking links to web pages. Disabling the auto play feature altogether is a safe practice. Users should be careful to ward off social engineering attacks.

Earlier this month, users had started facing problems with ransomware on Skype through a seemingly harmless looking message, "lol is this your new profile pic?" The message was followed by a link that downloads malware into user's computers. According to Trend Micro, these reports have not stopped yet and are now spreading fast.

No comments:

Post a Comment