Skype Vulnerability, Now Blocked, Allowed Account Hijack
Security blogs everywhere are reporting on a Skype vulnerability which allowed easy hijacking of an account if the attacker knew the email address of a user.
Skype temporarily disabled password resetting this morning, the feature which allowed the hijack. We advise you to log in to your account to make sure it has not been hijacked and to check your history.
The problem was first publicized last night on Russian web forums. Skype now claims to have fixed the password reset so that it cannot be abused in this way.
Skype issued a statement on the issue:
Early this morning we were notified of user concerns surrounding the security of the password reset feature on our website. This issue affected some users where multiple Skype accounts were registered to the same email address. We suspended the password reset feature temporarily this morning as a precaution and have made updates to the password reset process today so that it is now working properly. We are reaching out to a small number of users who may have been impacted to assist as necessary. Skype is committed to providing a safe and secure communications experience to our users and we apologize for the inconvenience.
Follow Larry Seltzer and BYTE on Twitter, Facebook, LinkedIn, and Google+: