Skip Links

Skype accounts easily hijacked via Skype Support, warns hacker

After a security researcher had his Skype account hijacked six different times within one day, he's trying to raise awareness about how easily Skype Support can be socially engineered. He says the Skype account recovery policy needs to be changed.

By Ms. Smith on Mon, 04/29/13 - 11:43am.

Microsoft has been "reimagining" itself for years, but after a security researcher had his Skype account hijacked six times in one day, he wants Skype Support to reimagine itself with more security.

[10 AWESOME Ways to Celebrate Star Wars Day (May the 4th...)]

Microsoft switched its company and some brand logos last year, but it intends to change logos for Bing, Skype, Visual Studio, Yammer and Xbox as well. According to the "reimagining of Microsoft" talk at Design Day 2013 in Norway, Windows Phone design studio general manager Albert Shum has been working with creative director Todd Simmons from the external marketing firm Wolff Olins. The duo reportedly revealed the new logos for Bing and either Skype or Yammer below:

Microsoft new logos for Bing, and Skype or Yammer

According to Paul Thurrott, Shum was the person "most directly responsible" for the "Metro" design. Wolff Olins has worked on marketing for Windows 8; Simmons advised Microsoft to break the "habit of version branding" and to "go from a sales mentality to seduction; let the products speak for themselves." Nike was used for design inspiration and the goal was to create a "Microsoftness" across all brands.

Regarding Windows Phone, WinBeta reported that Microsoft doesn't want to make icons prettier, since "they are really just buttons," a snarky dig at the phone icons for Apple's iOS and Google's Android operating system. For Windows Phone, Microsoft wants to "take away what you don't need and focus on the user experience."

Social Engineering Skype Support to hijack Skype accounts

Skype accounts easily hijacked via Skype Support, warns hackerSpeaking of Microsoft and user experience, security researcher @TibitXimer complained about a horrible user experience after losing control of his Skype account six times in one day. In fact, Ximer says Skype recovery mechanisms are so inadequate that "anyone can steal your Skype account" by providing:

  • 3-5 of your contacts on skype
  • 1 email you've used on skype at any point
  • your first and/or last name

Ximer provided screen captures of his conversation with Skype Customer Support and is trying to raise enough outrage and awareness to force Skype to change its recovery policy. He wrote on the Skype forum:

Due to my account being stolen (not hacked) through skype support (because Skype support didn't verify if the person owned the account or not, just wanted those 3 points mentioned above) my account was used to scam people out hundreds of dollars along with damaging my reputation for my product's security due to thinking I had low security on my skype account or email address, when in reality, it was Skype Support's fault my account was stolen, multiple times, and had nothing to do with End-users (me in this case).

Unsurprisingly, Skype Support disagrees with Ximer about how easily Skype accounts can be hijacked by social engineering the support team. "Skype CS is looking into your case. Our unlock policy does in fact require more than just the information you have quoted and we are checking where the failure happened during the required steps of verification."

Other Skype users on the forum pointed out that there are guides for sale that explain how to easily exploit Skype Support and steal accounts. 

Ximer said Skype Support has now suspended his account while the matter is being investigated. He added that Skype account hijacking has also "happened to many members of a forum I'm on all in the same week," before providing a screenshot of other users complaining about it. He then wrote, "This was a massive failure by Skype support. While they may ask more questions during the verification process, they did not require that all questions were answered. Majority of the time they only required those 3 steps as enough for the verification of the account owner."

Spiegel suggested setting up an email account that is used only for Skype, or tweaking your Gmail address specifically for Skype.

Years ago, the Google Gmail team explained "two hidden ways" to manipulate your Gmail address, such as adding a plus "+" sign, or by adding one or more dots "." to your current Gmail address. For example "iheartprivacybogusaccount@gmail.com" could be tweaked into "iheartprivacybogusaccount+skypesecurity@gmail.com," or "i.heart.privacy.bogus.account@gmail.com" The "periods" and plus sign are ignored, but can be used for added security and privacy—or to help you by tracking who sells your email address.

By the way, if you try this trick of adding "." or dots with a Hotmail address, it bounces with the error: "Delivery to the following recipient failed permanently." However, an address such as "iheartprivacybogusaccount+skypesecurity@hotmail.com" will successfully send.

Update: After Microsoft read this article, it sent the following statement:

We take the security of our customers extremely seriously, and have been making ongoing enhancements to help protect customers. We have processes in place that would help protect against password reset scenarios such as this, and our customer support agents remain available to help customers as needed. We encourage customers to use Microsoft account to log into Skype, which helps make their accounts more secure using two-step verification. For more information about individual accounts, customers can contact Skype by visiting: https://support.skype.com/en/faq/FA1170/how-can-i-contact-skype-customer.... –A Skype Spokesperson

Like this? Here's more posts:

Follow me on Twitter @PrivacyFanatic