Hackers recently discovered that anyone was able to reset the password for a Skype user’s account, allowing them to quickly and easily gain access to the VoIP service. Now, Microsoft, which owns Skype, has pulled the password reset page, which provides an easy albeit temporary fix to the issue.
According to TNW, a hacker only needed to know that email address that was used to register a Skype account. With that, a would-be-hacker could easily access the account information and reset the password for any user name associated with the registered email address. TNW was even able to recreate the flaw using the addresses of several employees (with permission, of course). “Unfortunately, because this method enables you to get a password reset token sent to the Skype app itself, this allows a third party to redeem it and claim ownership of your original username and thus account,” TNW explained.
Skype responded to the issue with the following statement:
We have had reports of a new security vulnerability issue. As a precautionary step we have temporarily disabled password reset as we continue to investigate the issue further. We apologize for the inconvenience but user experience and safety is our first priority.
We’ll keep you updated on any further developments.