Skype's UX security vulnerability

By Peter West • 19th November 2018 18:20

I woke this morning to people emailing me that I've been sending them spam links via Skype. My account had been compromised. How had this happened?

I thought I was fairly safe from hackers. I choose secure passwords. I had enabled Microsoft's two-factor authentication - to log in to Skype I need to type in a random code received by SMS or email.

It turns out that there is a way to completely bypass Microsoft's 2FA. Simply use your original Skype username and password to log in. You will not be prompted to enter the code.

I didn't even know that login still existed after Skype was absorbed into Microsoft. That password was several years old, devised when I thought "fr3d123" would suffice. It's probably floating around in several stolen forum databases.

Microsoft's 2FA had given me a false sense of security. I'd bolted the door shut but left the window wide open.

This is a serious flaw in Microsoft's security practices. It has been reported before. But Skype has done nothing to fix it, nor has made efforts to disable old credentials.

(And let's hope that Microsoft decide not to make GitHub users start logging in via Microsoft.)

To fix, go to https://account.live.com/SignInPreferences and disable any old log in aliases.