Using Skype Manager? no? Expect incoming fraud

I have been using Skype ever since it came out, so I know my stuff.

I know how to write strong passwords, how to use smart security questions and how to – most importantly – avoid Phishing attempts on my Skype account.

But all that didn’t help me avoid a Skype mishap (or more bluntly as a friend said – Skype f*ckup).

It all started Saturday late at night (about 2am GMT), when I started receiving emails in Mandarin from Skype, my immediate thought was fraud, a phishing attempt, so I ignored it. But then I noticed I got also emails from Paypal with charges from Skype for 100$ 200$ 300$, and I was worried, was my account hacked?

I immediately went to PayPal and disconnected my authorization to Skype, called in Transaction Dispute on PayPal and then went on to look at my Skype account.

I looked into the recent logons to my account – nothing.

I looked into email changes, or passwords – nothing.

I couldn’t figure out how the thing got to where it was, and then I noticed, I have become a Skype Manager – wow I was promoted and I didn’t even send in my CV.

Yeah, joke aside, Skype Manager, is a service Skype gives to businesses to allow one person to buy Skype Credit and other people to use that Credit to make calls. A great idea, but the execution is poor.

The service appears to have been launched in 2012, and a few weeks after that, fraud started popping up. The how is very simple and so stupid it shameful for Skype to not have fixed this, since it was first reported (which I found) on the 21st of Jan 2012 on the Skype forum.

Apparently having this very common combinations of:
1) Auto-charge PayPal
2) Never used Skype Manager
3) Never setup a Work email for Skype

Makes it possible for someone to:
1) Setup you as a Skype Manager
2) Setup a new work email on some obscure service (mailinator was used in my case), and have all Skype emails for confirmations sent there

Yes, they don’t need to know anything BESIDE the Skype Call name of your account – which is easy to get using Skype Search.

Once you have become a Skype Manager, “you” can add users to the group you are managing – they don’t need to logon as all they need to do is use the (email) link you get to the newly assigned Work Email, yes, it doesn’t confirm the password – smart ha?

The users added to your Skype Manager can now take the Credit (its not money, it just call credits) and call anywhere they want.

Why this bug / feature not been fixed/addressed since the first time it was made public on the Skype Forum (probably was exploited before then), is anyone’s guess, talking to the Fraud department of Skype – he mainly stated that I should:
1) Change my password for Skype – yes, that would have helped nothing in this case
2) Make sure I authorize Skype only on trustworthy devices

The bottom line, Skype users, make sure:
1) You have configured your Skype Manager – if you are using Auto-Charge feature – I have disabled my Auto-Charge and PayPal authorization since then, and don’t plan on enabling it anytime (ever)
2) You have configured your Skype Work email – yes, if its unset, anyone can change it – without needing to know your current password – is this company a PCI authorized company? 😀

If you have more insight on the matter, let me know

– Noam

Hacktivity 2012 CFP

Hacktivity 2012 Call For Papers: Deadline June 1st

The 9th annual IT Security Festival for Central and Eastern Europe will be held in Hungary in late September. The Hacktivity 2012 conference/festival will bring together information security professionals from all of central Europe in an informal, educational, but highly technical form.

Papers for HACKTIVITY 2012 are now being solicited and we invite you to participate.

For more information see: https://hacktivity.com/en/news/cfp-is-out-hurry-up/

For a list of the 36 presentations done in 2011 see: https://hacktivity.com/en/hacktivity-2011/programs/

NOPCON 2012

NOPcon is a non-profit and free hacker conference which will be held in Istanbul, TURKEY on the 21 May.
The conference will be the first technical and international hacker conference in Istanbul. The conference aims to learn and exchange ideas and experiences between researchers , consultants and developers.

SPEAKERS
Moti Joseph – “Advanced Browser Exploiting”
Mohhammad Hluchan – “Militarization of Hacking and the New Cyber Arms Race in the Middle East”
Sertan Kolat – “Attacking iOS Applications”
Yasin Surer – “Kernel Exploiting”
Mert Sarica – “Attacking Android Applications”
Nebi Senol Yilmaz – “Defeating DDOS in FreeBSD Kernel”
Melih Tas – “Penetration Testing VOIP”
Ozan Ucar – “Real-world Penetration Testing Examples [Workshop]”
Evren Yalcin – “Advanced Web Application Security [Workshop]”
Celil Unuver – “SCADA (in)Security”

Registration
Registration for the conference can be made at free: http://www.nopcon.org/register/

XSSQL attack (HTML5)

HTML 5 brings a lot of new features to the web. One of its features is SQLite – a client side database engine which allows storage of data on the client side. Databases can be created and queried by the JavaScript.

It is pretty clear that many developers would use the opportunity to store information on the client side. The risk will be high if they use this repository and store there sensitive information such us user passwords, session ids, credit card numbers etc.

In case of XSS vulnerability in such website it would be possible to query these databases via JavaScript.
I even have a name for this attack – XSSQL :-) funny as well as concerning …

Eventually, XSS attacks still remain common and even more powerful with the ability to query client side databases and steal sensitive information.

See more details at http://yossi-yakubov.blogspot.com/2011/07/html-5-xssql.html