Skype dispatches swift fix for password reset flaw

Share this article:

An easy-to-exploit password reset vulnerability in Skype was patched by the company Wednesday morning.

Details about the flaw initially appeared on a Russian forum two months ago, but went viral early Wednesday after Reddit.com and other sites reposted details about the security issue, which could allow essentially anyone who knows a Skype user's email address to reset their account password and access their account.

Before resolving the issue, Skype posted a statement to its site Wednesday, saying it had temporarily disabled the password reset feature while it investigated the issue. At that time, the best protection method for users was to change their email address in case an attacker had already taken advantage of the bug.

Skype, which provides a voice-over-internet protocol (VoIP) service, was acquired by Microsoft last year for $8.5 billion, and has around 170 million users worldwide, according to its site.

On Wednesday, Chaim Haas, a Skype spokesman, emailed SCMagazine.com confirming that the password reset vulnerability had been resolved.

“The issue in question…has now been resolved and the password reset process has been updated so that it now works properly,” Haas said.

A statement on Skype's site said that a small number of users potentially impacted by the vulnerability were being contacted by the company.

“This issue affected some users where multiple Skype accounts were registered to the same email address,” the statement explained.

Kurt Baumgartner, senior security researcher at Kaspersky Lab, told SCMagazine.com in an email that the Skype security issue was a “rare” flaw, considering how easily it could be exploited.

“The problem was very poor design for the password reset process,” he said. “This sort of thing doesn't happen that often anymore on major services. I would call it a rare flaw.

The only items an attacker would need is a few minutes of time, a small amount of knowledge about the victim, and an email account, he added.

“A similar sort of mistake, but somewhat more difficult to exploit, was the recent Google [SSL] certificate spoof," he said. "These holes are rare, but they exist."


Share this article:

Sign up to our newsletters

More in News

EFF intros wireless router software to boost industry standard

EFF intros wireless router software to boost industry ...

This weekend, the digital rights group released a "hacker alpha" version of its Open Wireless Router software.

Breaches driving organizational security strategy, survey indicates

Breaches driving organizational security strategy, survey indicates

CyberArk interviewed 373 IT security executives and other senior management in North America, Europe and the Asia-Pacific as part of its eighth annual Global Advanced Threat Landscape survey.

Siemens industrial products impacted by four OpenSSL vulnerabilities

The vulnerabilities can be exploited remotely, and fairly easily, by an attacker to hijack sessions and crash the web server of the product.