Skype dispatches swift fix for password reset flaw

Share this article:

An easy-to-exploit password reset vulnerability in Skype was patched by the company Wednesday morning.

Details about the flaw initially appeared on a Russian forum two months ago, but went viral early Wednesday after Reddit.com and other sites reposted details about the security issue, which could allow essentially anyone who knows a Skype user's email address to reset their account password and access their account.

Before resolving the issue, Skype posted a statement to its site Wednesday, saying it had temporarily disabled the password reset feature while it investigated the issue. At that time, the best protection method for users was to change their email address in case an attacker had already taken advantage of the bug.

Skype, which provides a voice-over-internet protocol (VoIP) service, was acquired by Microsoft last year for $8.5 billion, and has around 170 million users worldwide, according to its site.

On Wednesday, Chaim Haas, a Skype spokesman, emailed SCMagazine.com confirming that the password reset vulnerability had been resolved.

“The issue in question…has now been resolved and the password reset process has been updated so that it now works properly,” Haas said.

A statement on Skype's site said that a small number of users potentially impacted by the vulnerability were being contacted by the company.

“This issue affected some users where multiple Skype accounts were registered to the same email address,” the statement explained.

Kurt Baumgartner, senior security researcher at Kaspersky Lab, told SCMagazine.com in an email that the Skype security issue was a “rare” flaw, considering how easily it could be exploited.

“The problem was very poor design for the password reset process,” he said. “This sort of thing doesn't happen that often anymore on major services. I would call it a rare flaw.

The only items an attacker would need is a few minutes of time, a small amount of knowledge about the victim, and an email account, he added.

“A similar sort of mistake, but somewhat more difficult to exploit, was the recent Google [SSL] certificate spoof," he said. "These holes are rare, but they exist."


Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

CryptoWall surpasses CryptoLocker in infection rates

CryptoWall surpasses CryptoLocker in infection rates

A threat analysis from Dell SecureWorks CTU says that CryptoWall has picked up where its famous sibling left off.

Professor says Google search, not hacking, yielded medical info

Professor says Google search, not hacking, yielded medical ...

A professor of ethical hacking at City College San Francisco came forward to clarify that he did not demonstrate hacking a medical center's server in a class.

Syrian Malware Team makes use of enhanced BlackWorm RAT

Syrian Malware Team makes use of enhanced BlackWorm ...

FireEye analyzed the hacking group's use of the malware, dubbed the "Dark Edition" of BlackWorm.