Skype dispatches swift fix for password reset flaw

Share this article:

An easy-to-exploit password reset vulnerability in Skype was patched by the company Wednesday morning.

Details about the flaw initially appeared on a Russian forum two months ago, but went viral early Wednesday after and other sites reposted details about the security issue, which could allow essentially anyone who knows a Skype user's email address to reset their account password and access their account.

Before resolving the issue, Skype posted a statement to its site Wednesday, saying it had temporarily disabled the password reset feature while it investigated the issue. At that time, the best protection method for users was to change their email address in case an attacker had already taken advantage of the bug.

Skype, which provides a voice-over-internet protocol (VoIP) service, was acquired by Microsoft last year for $8.5 billion, and has around 170 million users worldwide, according to its site.

On Wednesday, Chaim Haas, a Skype spokesman, emailed confirming that the password reset vulnerability had been resolved.

“The issue in question…has now been resolved and the password reset process has been updated so that it now works properly,” Haas said.

A statement on Skype's site said that a small number of users potentially impacted by the vulnerability were being contacted by the company.

“This issue affected some users where multiple Skype accounts were registered to the same email address,” the statement explained.

Kurt Baumgartner, senior security researcher at Kaspersky Lab, told in an email that the Skype security issue was a “rare” flaw, considering how easily it could be exploited.

“The problem was very poor design for the password reset process,” he said. “This sort of thing doesn't happen that often anymore on major services. I would call it a rare flaw.

The only items an attacker would need is a few minutes of time, a small amount of knowledge about the victim, and an email account, he added.

“A similar sort of mistake, but somewhat more difficult to exploit, was the recent Google [SSL] certificate spoof," he said. "These holes are rare, but they exist."

Share this article:

Sign up to our newsletters

More in News

Leahy bill would end bulk data collection, introduce reforms

Leahy bill would end bulk data collection, introduce ...

Sen. Patrick Leahy introduced an NSA reform bill that would update the USA Freedom Act.

House passes two cyber security bills

One bill aims to improve agencies' website security, while another works to thwart critical infrastructure attacks.

A five-month-long Tor attack attempting to 'deanonymize' users

For roughly five months beginning in January, traffic confirmation attacks were used to attempt to "deanonymize" Tor users.