Skype dispatches swift fix for password reset flaw

Share this article:

An easy-to-exploit password reset vulnerability in Skype was patched by the company Wednesday morning.

Details about the flaw initially appeared on a Russian forum two months ago, but went viral early Wednesday after Reddit.com and other sites reposted details about the security issue, which could allow essentially anyone who knows a Skype user's email address to reset their account password and access their account.

Before resolving the issue, Skype posted a statement to its site Wednesday, saying it had temporarily disabled the password reset feature while it investigated the issue. At that time, the best protection method for users was to change their email address in case an attacker had already taken advantage of the bug.

Skype, which provides a voice-over-internet protocol (VoIP) service, was acquired by Microsoft last year for $8.5 billion, and has around 170 million users worldwide, according to its site.

On Wednesday, Chaim Haas, a Skype spokesman, emailed SCMagazine.com confirming that the password reset vulnerability had been resolved.

“The issue in question…has now been resolved and the password reset process has been updated so that it now works properly,” Haas said.

A statement on Skype's site said that a small number of users potentially impacted by the vulnerability were being contacted by the company.

“This issue affected some users where multiple Skype accounts were registered to the same email address,” the statement explained.

Kurt Baumgartner, senior security researcher at Kaspersky Lab, told SCMagazine.com in an email that the Skype security issue was a “rare” flaw, considering how easily it could be exploited.

“The problem was very poor design for the password reset process,” he said. “This sort of thing doesn't happen that often anymore on major services. I would call it a rare flaw.

The only items an attacker would need is a few minutes of time, a small amount of knowledge about the victim, and an email account, he added.

“A similar sort of mistake, but somewhat more difficult to exploit, was the recent Google [SSL] certificate spoof," he said. "These holes are rare, but they exist."


Share this article:

Sign up to our newsletters

More in News

Pentagon to triple its security workforce by 2016

Pentagon to triple its security workforce by 2016

Defense Secretary Chuck Hagel recently announced the recruitment efforts during a speech in Fort Meade, Md.

Tech manufacturer's online payment system breached

LaCie confirmed an unauthorized party used malware to access its online payment system for almost a year and could have stolen customer information.

The Heartbleed bug works, and could be a scapegoat for older breaches

The Heartbleed bug works, and could be a ...

Researchers proved the Heartbleed bug was real in a challenge issued by CloudFlare to prove private keys can be stolen, right around the time companies are claiming they were breached ...