Skype security hole found in password-reset feature
(CNN/By Brandon Griggs) — Skype has disabled its password-reset feature after hackers discovered a security hole in the video-chat service that allows anyone to change a user’s password and take control of their account.
Skype said “a small number of users” may have been impacted. The company is investigating the problem.
“Early this morning we were notified of user concerns surrounding the security of the password reset feature on our website. This issue affected some users where multiple Skype accounts were registered to the same email address,” Skype’s Leonas Sendrauskas said in a posting Wednesday.
“We suspended the password reset feature temporarily this morning as a precaution and have made updates to the password reset process today so that it is now working properly,” he added.
“We are reaching out to a small number of users who may have been impacted to assist as necessary. Skype is committed to providing a safe and secure communications experience to our users and we apologize for the inconvenience.”
The issue was posted on a Russian forum two months ago, but did not become widely known until it gained traction recently on Reddit and was confirmed by The Next Web, a tech-news blog.
To exploit the flaw, all hackers need to know is a victim’s e-mail address tied to his or her Skype account. They then can use that e-mail address to create a new account, and minus a few steps, use a password-reset token to gain access to the user’s account and lock out its original owner.
Staffers at The Next Web said they reproduced the attack, step-by-step, and managed to access the Skype accounts of a writer and an editor (with their permission), using only their e-mail addresses.
The issue could have exposed Skype instant messages and users’ personal details, including date of birth.
™ & © 2012 Cable News Network, Inc., a Time Warner Company. All rights reserved.