Skype finds and fixes problem with password reset security
Skype has finally fixed a password reset issue on its website that hackers have been manipulating for the past two months.
Wed, Nov 14, 2012 at 04:25 PM
Password recovery tools fill a very useful place in today’s login-crazy Web, but the helpful boon has turned into a hindering bane for Skype users. For at least two months, hackers have known — and presumably been using — a flaw in Skype’s password recovery tool that allowed anyone to easily take control of any account if they know its associated email address.
The Next Web successfully managed to recreate the exploit, which was first published on a Russian forum. After performing a few simple steps and a sending a password reset token request to the Skype app itself rather than the owner’s inbox, the website was able to seize control of its editor’s Skype account within minutes. TNW successfully repeated the vulnerability with several other accounts.
Fortunately, Skype and Microsoft leaped right on top of the vulnerability after The Next Web shined a light on the issue. Shortly after the article aired, Skype sent out the following statement:
We have had reports of a new security vulnerability issue. As a precautionary step we have temporarily disabled password reset as we continue to investigate the issue further. We apologize for the inconvenience but user experience and safety is our first priority.
The headache comes at a bad time for the communication service, which recently rolled out a new Skype for Windows 8 app as well as a Windows Phone 8 preview.
At 1:52pm EST on 11/14, Skype reached out to let us know that the vulnerability has been fixed and the service’s password reset options are up and running once again. Read the brief details here.
Related on LAPTOP and MNN: