A major security hole was discovered in Skype today, allowing accounts to easily be hijacked using the password recovery tool. The scariest part? Your email address is all that’s required to take full control over your account!
TheNextWeb has the details:
To exploit this flaw, all you need to know is your victim’s email address tied to their Skype account. To protect yourself, you would have to change your email address to one that nobody knows or could easily guess, but most likely Microsoft will get around to fixing the problem before that becomes necessary.
We reproduced the attack, step-by-step, and managed to access the Skype accounts of TNW writer (with permission) Josh Ong (as well as editor Matt Brian to verify again) with only their email addresses. Essentially, that email address is used to create a new account with your own email address tied to it. Then, minus a couple of key steps, you can use a password reset token to gain access to your target’s account.
Fortunately, Microsoft acted quickly be temporarily disabling password resets, and has now fixed the issue – but this should still be a wakeup call for users. Those who use Skype would be well advised to secure their accounts by changing their password.
Microsoft released an official statement clarifying that they have addressed the problem:
We have had reports of a new security vulnerability issue. As a precautionary step we have temporarily disabled password reset as we continue to investigate the issue further. We apologise for the inconvenience but user experience and safety is our first priority
Scary stuff!
