Skype pulls password reset page over major security hole

By on November 14, 2012, 9:30 AM

Update: Skype has posted an update on its blog saying that the vulnerability has now been fixed and that it is reaching out to "a small number of users" who may have been impacted to assist as necessary -- original story below.

Reports have emerged about a security hole in Skype's password recovery mechanism that allowed any account to be hijacked knowing only the username and email address. The Next Web first reported the issue and was able to reproduce the attack following step-by-step instructions posted on a Russian forum two months ago.

The whole process is so straightforward that it’s surprising how the company could have missed such a glaring security hole within its system. Apparently, it’s possible to create a new Skype account with an email address that’s already in use by another person, effectively associating a single email to two different users.

From there an attacker can request a password reset for the targeted account and a token will be sent to the associated email address, which normally wouldn’t be a problem but surprisingly it is also displayed on the Skype interface. Armed with that token it is possible to reset the password for the original and the dummy account, since both are associated to the same email and Skype will simply ask which one you want reset.

The Next Web says that the flaw had been previously reported to Microsoft but it wasn’t until it became public that they decided to take action. Skype has since pulled its password reset page as it investigates the problem. Below is a short statement posted this morning on the Skype blog:

We have had reports of a new security vulnerability issue. As a precautionary step we have temporarily disabled password reset as we continue to investigate the issue further. We apologize for the inconvenience but user experience and safety is our first priority.


Image via Ghacks




User Comments: 4

Got something to say? Post a comment
avoidz avoidz said:

Great. Another reason why I'm reluctant to move from WLM to Skype. Doesn't really give one a lot of confidence.

Emexrulsier said:

Why no confidence? A fault was found and promptly fixed.

Darth Shiv Darth Shiv said:

Why no confidence? A fault was found and promptly fixed.

A fault was found for an industry standard practice that should have been pretty solid to begin with... particularly from a service and provider as big as skype!

TJGeezer said:

"The Next Web says that the flaw had been previously reported to Microsoft but it wasn?t until it became public that they decided to take action. "

No link to that story? I don't recall it even being talked about anywhere else. I thought MS was taking security much more seriously these days. Some details would be nice.

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.