Skype has moved to temporarily disable a password reset page that made it easy for anyone to basically take over another user’s Skype account if they knew what email address is linked to the account.
The security hole was first discovered on a Russian underground forum three months ago.
The exploit was made possible by signing up for a new Skype account using the email address of another user. By simply requesting a new password from the victim’s account a security token was sent to the attacker’s Skype client, making it possible to reset the login details.
To make matters worse, it has been discovered that when a victim’s account is accessed after the hijacking the entire conversation history gets downloaded from the victim’s contacts, according to a Reddit board on the subject.
According to The Next Web, which successfully attempted the hijack between two consenting editors, it was proved possible to take over another person’s account and then lock them out of their own account.
It recommends that the best way to avoid being targeted is to use a different email address for your Skype account.
Skype has temporarily disabled the password reset page and will investigate the issue.
Update:
“Early this morning we were notified of user concerns surrounding the security of the password reset feature on our website,” Skype said in a statement.
“This issue affected some users where multiple Skype accounts were registered to the same email address. We suspended the password reset feature temporarily this morning as a precaution and have made updates to the password reset process today so that it is now working properly.
“We are reaching out to a small number of users who may have been impacted to assist as necessary. Skype is committed to providing a safe and secure communications experience to our users and we apologise for the inconvenience,” Skype added.
