| Recurring |
one_organization |
(a) The software failure incident related to a vulnerability allowing the creation of new Skype accounts using just an email address had happened again within the same organization. Dmitry Chestnykh, a Russian programmer, warned Skype about this vulnerability in August, and even demonstrated the issue by setting up a new Skype account using the email of Steve Ballmer, Microsoft's chief executive [15781].
(b) There is no specific mention in the article about a similar incident happening at other organizations or with their products and services. |
| Phase (Design/Operation) |
design, operation |
(a) The software failure incident related to the design phase can be seen in the article where a Russian programmer, Dmitry Chestnykh, warned Skype about a vulnerability in the system design. He pointed out that anyone could create a new Skype account using an email address, even if they didn't control it. This design flaw allowed for the hijacking of people's accounts using just their email address, indicating a failure in the system's design [Article 15781].
(b) The software failure incident related to the operation phase is evident in the article where hackers exploited a flaw in Skype's password reset feature. This flaw allowed them to take control of accounts if they knew the email address associated with the account. The operation of the system, specifically the password reset process, was manipulated by hackers to gain unauthorized access to user accounts, highlighting a failure in the operational aspect of the system [Article 15781]. |
| Boundary (Internal/External) |
within_system |
(a) within_system: The software failure incident reported in the article is related to a vulnerability within Skype's system that allowed hackers to exploit the password reset feature and hijack users' accounts using just their email addresses. The flaw allowed anyone to create a new Skype account using an email address, even if they did not control it. This issue was reported to Skype by a programmer in August, but no action was taken until the vulnerability was exploited by hackers. Skype acknowledged the flaw and closed it off after the incident [15781].
(b) outside_system: The software failure incident does not seem to be primarily caused by factors originating from outside the system. The vulnerability exploited by hackers was a result of a flaw within Skype's system related to the password reset feature and the lack of verification for creating new accounts using email addresses [15781]. |
| Nature (Human/Non-human) |
non-human_actions, human_actions |
(a) The software failure incident in the article was primarily due to non-human actions. The vulnerability exploited by hackers to hijack Skype accounts using just the email address was a flaw in Skype's password reset feature. This flaw allowed anyone to create a new Skype account using an email address, even if they didn't control it. The issue was related to the lack of a verification system before allowing the creation of new accounts, which was a technical vulnerability in the software itself [15781].
(b) However, human actions were also involved in this incident. The founder of Coding Robots, Dmitry Chestnykh, had warned Skype about this vulnerability in August and even demonstrated the flaw by setting up a new Skype account using the email address of Steve Ballmer. Despite his efforts to alert Skype's security team, he received no response. This lack of response or action from the human side contributed to the exploitation of the software vulnerability by hackers [15781]. |
| Dimension (Hardware/Software) |
software |
(a) The software failure incident reported in the article is not directly linked to hardware issues. The vulnerability exploited by hackers to hijack Skype accounts using just the email address was a software-related flaw in Skype's system. The incident involved a weakness in Skype's password reset feature and account creation process, which allowed hackers to take control of accounts without compromising the owner's email account [15781].
(b) The software failure incident was primarily due to contributing factors originating in software. The vulnerability in Skype's system, which allowed the hijacking of accounts using just the email address, was a software-related flaw. The flaw was related to the account creation process and the lack of a verification system before allowing the creation of new accounts, indicating a software issue rather than a hardware one [15781]. |
| Objective (Malicious/Non-malicious) |
malicious |
(a) The software failure incident reported in the article is malicious in nature. A Russian programmer, Dmitry Chestnykh, identified a vulnerability in Skype's system that allowed anyone to create a new Skype account using an email address they did not control. This vulnerability was exploited by hackers to hijack people's accounts using just their email address. Chestnykh demonstrated the weakness by setting up an account using the email of Steve Ballmer, Microsoft's chief executive, to prove the flaw still existed. The incident involved unauthorized access and potential account takeovers, indicating malicious intent [15781]. |
| Intent (Poor/Accidental Decisions) |
poor_decisions, accidental_decisions |
(a) The software failure incident reported in the article was related to poor decisions made by Skype in terms of their account creation and verification process. A Russian programmer, Dmitry Chestnykh, warned Skype about a vulnerability in August related to the ease with which new Skype accounts could be created using any email address, even if not controlled by the user. Despite being alerted to this issue, Skype did not take action to address it promptly. This poor decision on Skype's part left the system vulnerable to exploitation, leading to the hijacking of users' accounts [15781].
(b) The incident also involved accidental decisions or oversights on Skype's part. For example, the lack of a verification system before allowing the creation of new accounts led to the exploitation of the vulnerability. Additionally, the company's failure to respond to Chestnykh's email reporting the issue and the subsequent setup of a new Skype account using Steve Ballmer's email address highlighted accidental oversights in the security processes [15781]. |
| Capability (Incompetence/Accidental) |
development_incompetence, accidental |
(a) The software failure incident related to development incompetence is evident in the article as a Russian programmer, Dmitry Chestnykh, warned Skype about a vulnerability in August related to creating new Skype accounts using email addresses without verification. Despite his efforts to report the flaw to Skype's security team, he received no response, indicating a lack of professional competence in addressing reported vulnerabilities [15781].
(b) The software failure incident also shows elements of accidental factors contributing to the failure. The vulnerability exploited by hackers to hijack Skype accounts using just email addresses was not addressed promptly by Skype, leading to a situation where a new Skype account was set up using the email of Microsoft's chief executive, Steve Ballmer. This accidental oversight in addressing the reported vulnerability allowed for the exploitation of user accounts [15781]. |
| Duration |
permanent, temporary |
(a) The software failure incident in the article seems to be temporary as Skype temporarily suspended the password reset feature as a precaution and made updates to the password reset process to address the vulnerability. Skype mentioned that they were reaching out to a small number of users who may have been impacted and were committed to providing a safe and secure communications experience to their users [15781].
(b) The software failure incident could also be considered permanent to some extent as the vulnerability reported by the Russian programmer in August was not addressed by Skype, leading to the exploitation of a similar flaw by hackers in November. The founder of Coding Robots pointed out a weakness in Skype's system regarding the creation of new accounts using any email address without verification, which was not fixed by Skype initially [15781]. |
| Behaviour |
omission, value, other |
(a) crash: The software failure incident related to Skype's security vulnerability did not involve a crash where the system loses state and does not perform its intended functions. Instead, the vulnerability allowed unauthorized access to user accounts [15781].
(b) omission: The incident could be related to an omission as the vulnerability allowed the creation of new Skype accounts using email addresses without proper verification, omitting the necessary security checks [15781].
(c) timing: The timing of the incident could be related to the system performing its intended functions (account creation) but doing so without proper timing in terms of security checks, allowing for unauthorized access [15781].
(d) value: The software failure incident could be related to a value failure as the system allowed the creation of new accounts incorrectly without verifying the ownership of the email addresses, leading to compromised security [15781].
(e) byzantine: The incident does not seem to exhibit a byzantine behavior where the system behaves erroneously with inconsistent responses and interactions. Instead, the vulnerability allowed for a specific type of unauthorized access [15781].
(f) other: The behavior of the software failure incident could also be categorized as a security vulnerability that allowed for unauthorized access to user accounts by exploiting a flaw in the password reset feature, leading to potential security breaches [15781]. |