There have been two reported cases where Skype and Facebook had their accounts hijacked by the exploitation of logical flaws in their account set-up mechanism.
The security researchers who uncovered these flaws, smartly attempted to combine features available to set-up and reset accounts, to gain full control over their victims account. None of these attacks required coding knowledge or special skills and the attacker did not require the knowledge of secret credentials to gain access to accounts; only email ids or profile names. In both these attacks the owners of the targeted account, had no indication that the hack was underway until they were no longer able to access their account.
The blog post
How to hack any
Facebook account in under a minute, by sending just one SMS provides a step
by step description of how this attack was carried out.
Last year, a
Skype account was easily exploited with the knowledge of a victims email
address. The blog post Your
Skype account be hijacked with just your email address provides a step by
step description of how this attack was carried out.
These sites
have been in operation for many years, but yet were susceptible to the
introduction of new flaws or perhaps the reintroduction of old ones, as new functionality
was added. The root cause of the problem is the pressure of rapid release
cycles coupled with limited feature testing.
As a
cybercitizen, there are limited defenses to such types of flaws. Use of one
time authentication, if provided by the site enhances log in security. Another
good practice is the use of two email ids, one kept secret and used only as a
login credential and another for regular email. photo credit: Rosaura Ochoa via photopin cc
No comments:
Post a Comment