Major vulnerability of Skype's password reset sytem has went public today.
The only thing you need to obtain full access to any skype account is primary email of that account (the email which used when the skype account been registered).
For example, I know somebody's email - crackme33@yahoo.com , let's hack his skype!
1. Go to the skype website, register new disposable account. In email field, put target's email.
You will be redirected to login form:
You are all set!
To prevent that you need to change your primary email to some address, unknown by anyone.
To do that:
1. Sign in on skype website.
2. Go into the "profile" link (click to enlarge):
At the time there is no other way to protect your skype account, except changing of primary email to some unknown address.
The only thing you need to obtain full access to any skype account is primary email of that account (the email which used when the skype account been registered).
For example, I know somebody's email - crackme33@yahoo.com , let's hack his skype!
1. Go to the skype website, register new disposable account. In email field, put target's email.
If the email, you typed into form, attached to some skype account, then it will say that "You already have a Skype account", that means you can hack it!
So, complete the form, provide some fake BOD, gender, country, answer to question "How do you intend to use Skype?" as personal, fill any skype name (REMEMBER IT), it will give you some suggestions of not taken ones, assign some password (REMEMBER IT), solve the captcha, proceed forward - push the continue button.
You will be redirected to you new account dashboard. Logout from it.
2. Run the Skype application with those new credentials.
3. Since we just logged in to a fresh account, at home screen of the Skype application, there will be advertisement "Find your friends and say hello", click somewhere to bring focus on that part of screen (I clicked where the red cross is drawn):
Then push F5 button on your keyboard, it will refresh the home screen. Do that 3-4 times until you see "Bring your Facebook friends into Skype" advertisement. Click "No thanks, blah-blah-blah".
You will get the home screen with some banner.
4. Go to Skype's password reset system.Put the target's email. In my case - crackme33@yahoo.com .
Click "Submit button", and after several seconds, you will see Skype's pop-up notification - "Password token".
5. Go to Skype application, on the home screen you will see Password token, click on "more info", go to "temporary code link":
6. Browser will open page, where you can select any skype account registered to target email, in my case there are two account - my disposable and target:
Choose target's account and click "Change password and sign me in":
You are all set!
How to protect yourself / your family accounts
You already changed password for the target account, know the skype login, and able to use that target skype account. But somebody could take it from you, just as you did (owner for example).To prevent that you need to change your primary email to some address, unknown by anyone.
To do that:
1. Sign in on skype website.
2. Go into the "profile" link (click to enlarge):
3. On account information, go down, to "Contact details", click "Add email address":
4. Add your email address, which unknown to anybody, but you:
Click save button at the bottom of the form. After page reload, refresh page again to prevent some strange glitches of the site (if you will not reload the page, after you do following steps, it will forget steps 4 and 5 and discard that little work).
5. Scroll to Contact details again. Click on "Add email address" again. Switch primary email to the new one:
Click "Save" button at the bottom of the form, again.
It will ask you for your password. You know it already.
After page reload, refresh page again to prevent some strange glitches of the site (described above).
6. Scroll to Contact details again. Click on "Add email address" again. Delete (with backspace and/or delete buttons) all emails but primary:
7. Click "Save" button at the bottom of the form. Make sure all your changes applied (it sometimes require two or more attempts, since the site is developed by curly-handed programmers).
Disclamer: The information provided on in this blog is to be used for educational purposes only. The blog author is in no way responsible for any misuse of the information provided.