Malware, Patch/Configuration Management, Vulnerability Management

Skype dispatches swift fix for password reset flaw

An easy-to-exploit password reset vulnerability in Skype was patched by the company Wednesday morning.

Details about the flaw initially appeared on a Russian forum two months ago, but went viral early Wednesday after Reddit.com and other sites reposted details about the security issue, which could allow essentially anyone who knows a Skype user's email address to reset their account password and access their account.

Before resolving the issue, Skype posted a statement to its site Wednesday, saying it had temporarily disabled the password reset feature while it investigated the issue. At that time, the best protection method for users was to change their email address in case an attacker had already taken advantage of the bug.

Skype, which provides a voice-over-internet protocol (VoIP) service, was acquired by Microsoft last year for $8.5 billion, and has around 170 million users worldwide, according to its site.

On Wednesday, Chaim Haas, a Skype spokesman, emailed SCMagazine.com confirming that the password reset vulnerability had been resolved.

“The issue in question…has now been resolved and the password reset process has been updated so that it now works properly,” Haas said.

A statement on Skype's site said that a small number of users potentially impacted by the vulnerability were being contacted by the company.

“This issue affected some users where multiple Skype accounts were registered to the same email address,” the statement explained.

Kurt Baumgartner, senior security researcher at Kaspersky Lab, told SCMagazine.com in an email that the Skype security issue was a “rare” flaw, considering how easily it could be exploited.

“The problem was very poor design for the password reset process,” he said. “This sort of thing doesn't happen that often anymore on major services. I would call it a rare flaw.

The only items an attacker would need is a few minutes of time, a small amount of knowledge about the victim, and an email account, he added.

“A similar sort of mistake, but somewhat more difficult to exploit, was the recent Google [SSL] certificate spoof," he said. "These holes are rare, but they exist."


Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.