⚠ Action Required: Revisit your Skype account security

The Really Really Short Version

If you don’t have time to read the full post below, these are the minimum steps you should follow to secure your Skype account:

  1. Visit https://account.microsoft.com
  2. If already signed in, sign out
  3. Sign in with your Skype account (old Skype username, not email or phone number)
  4. Follow the bouncing ball to completion

For the most complete fix, and a little background, read on.

Event

There has been quite a peak of spam on Skype this week, involving compromised credentials.

I received several spam messages from contacts of mine, all of whom were knowledgeable about IT security, and avid users of password managers and two factor authentication. The spam messages were simple links via Baidu or LinkedIn open redirect endpoints. The links had been tagged with my owner username, likely to give them info on whose accounts to target next.

Examples:

http://www.baidu.com/link?url=K5Qk05iVlt3Y6aAf9sMG-mbU98S6KtZzw_QXSoV43bq#akapam=tathamoddie
http://www.baidu.com/link?url=PMt9KtBY9eaiLoIEI4X371iGX9YxMPZsI0YCEixu_BR08Qp5GG6kFi8hJPxCAA0J#guhac=tathamoddie
https://www.linkedin.com/slink?code=d2VJ4zx#asihu=tathamoddie
https://www.linkedin.com/slink?code=dYUr8HT#uljbupyh=tathamoddie

After a little bit of digging, I found vulnerabilities in my own Skype account setup. I expect many people to be in similar position, based on Microsoft + Skype’s approach to account migrations over the years.

Impact and Risk

These vulnerabilities are simple to close. Leaving them open leaves you at high risk of being the source of embarrassing spam messages to your contacts, and potentially being locked out of your Skype account for good. (Skype accounts aren’t always linked to email addresses, making the password recovery process notoriously difficult.)

Issue

Long time users of Skype will have set up their Skype account under a username. Mine was tathamoddie. The sign up flow never used to prompt for an email address or phone number. (It does now.)

After Microsoft acquired Skype, they added support for ‘linking’ a Microsoft account to your Skype account. This allowed me to login to my Skype account via my Microsoft Account (tatham@oddie.com.au). Anybody who has used the Windows 8 or Windows 10 apps for Skype will have been encouraged down this path.

Linking a Microsoft account never prevented the Skype-based sign in.

Skype accounts have never supported two-factor authentication.

Skype accounts are actively being compromised via simple username + password authentication, with no second factor validations in play. Skype are stating that this is most likely due to credential re-use, however I know of one IT security professional whose account was compromised despite using a unique password that was always stored in a password manager. Considering the simplicity of Skype’s overall approach to authentication, and their rather broad range of client APIs, I’d postulate that there’s some brute forcing in play as well, or there has been a credential leak.

Future

Microsoft are on a mission to merge all of their identity platforms: consumer Microsoft accounts, work or school accounts (OrgId / AAD), and Skype accounts. It’s a mammoth effort behind the scenes.

As part of this process, they’re supporting the use of multiple ‘aliases’ for each account. These are essentially multiple usernames. This allows you to login using your email address, your mobile number, or your Skype username. They’re rationalising down to one password and one approach to proofs though.

Last week, Microsoft/Skype launched the latest migration push:

Today we are excited to announce that you can now use your Skype Name to sign into other Microsoft services like Xbox, Office and OneDrive. If you have any questions or want to find out more, please visit our FAQ.

Based on the migration experience, I don’t believe that there’s any way to use an old Skype account to compromise a Microsoft account by bypassing MFA controls, however it doesn’t hurt to hurry up and close off the old login vector now. That’s exactly what we’ll do to apply this security fix.

Fix

Ensure that you know your Skype username:

  1. Visit https://secure.skype.com/portal/account/settings
  2. It’ll show your Skype name near the top

Convert your Skype account into an additional alias for your Microsoft account:

  1. Visit https://account.microsoft.com
  2. If already signed in, sign out.
  3. Sign in with your Skype account (old Skype username, not email or phone number).
  4. You will be prompted to upgrade your Skype account to a Microsoft account. Follow this process to completion.

At this point, you’re back to a single password, and your Skype account is no longer a sign-in vector of its own. Your Microsoft account’s multi-factor authentication is now effective in protecting your Skype account.

Disable excess sign-in aliases on your Microsoft account:

  1. Visit https://account.live.com/SignInPreferences?amru=proofs%2FManage
  2. Disable as many sign-in aliases as you can, especially ones that you don’t commonly monitor. I disabled my Skype name, and just left my email address.

Validation

Let’s make sure it worked:

  1. Launch an InPrivate browser tab. It must be InPrivate, to avoid a cookie stamp they would have left in an earlier step post-account migration.
  2. Visit https://go.skype.com/myaccount
  3. You should encounter a Skype-based login screen, served from https://login.skype.com:skypemsa6
  4. Try entering your old Skype username.
  5. You should get redirected away to the Microsoft-based login screen, served from https://login.live.com

If you’re redirected away, then you’re all done.

If you weren’t redirect to the Microsoft-based login screen at https://login.live.com, then something isn’t done yet.

Background

Skype have posted some background information this week:

https://community.skype.com/t5/Security-Privacy-Trust-and/Spam-messages-amp-links-sent-from-your-account/td-p/4511001

https://support.skype.com/en/faq/FA34657/one-account-for-skype-and-your-other-microsoft-services

3 comments

  1. This happened to me, although there has been additional weirdness as well so I thought I’d post as this is the only thing I’ve found on this issue. (Skype support has as per usual been hopeless.) There are clearly many issues with the account unification transition.

    I’ve had my Skype and Microsoft accounts linked for over a year now, and have since always logged in with my Microsoft account enabled with two factor authentication. My Microsoft account has a unique password. So I was very shocked when I woke up Saturday to the news that my Skype account had been compromised and used to send Baidu links (of the first variety above) to all my contacts.

    Evidently they were able to log into Skype using my old Skype user name and—as I surmise from your post and others—my old Skype password. (According to the account activity screen, it was accessed from Malaysia from the IP address 118.100.122.223.) This apparent use of old Skype credentials, as far as I know, should have been impossible, since my account had already been “upgraded”. (I can’t even remember my old Skype password because it’s been so long since I’ve used it.)

    When I woke up I had received the standard “Someone else might have accessed your Microsoft account” email and text message, and quickly isolated the problem to Skype. So that part of the functionality did work, i.e. that I was informed of the account intrusion. I was able to erase the messages sent, and based on your post and others I disabled account login from my Skype alias, but something is still seriously wrong here. Luckily it does not seem that they were able to access other areas of my Microsoft account (OneDrive, etc.), but they SHOULD NOT have been able to access my account without pushing my two factor authentication.

    There is something else still odd here, which leads me to believe that there are still issues: when I go to my “Skype account settings” page online, which I log into now through my Microsoft account primary alias, I am first still given the option to “change Skype password,” which then of course redirects me to the Microsoft account password change, as it should. Still odd that it is there.

    But then, if I attempt to update my Skype profile, I am prompted for a password, and my Microsoft password DOES NOT work here. It still seems to want my old Skype password from over a year ago. (Which, again, I don’t remember.) So there is clearly something wonky happening on the Microsoft side.

    Thanks again for the post!

    1. Doh! Mine was already linked prior, so I didn’t re-test that flow. I’ve updated the post with an approach that doesn’t require this linking step, and also shortens the overall process.

Comments are closed.