Severe Skype Exploit Discovered, Password Resets Disabled to be Safe (Updated)

  • MORE

Password recovery tools fill a very useful place in today's login-crazy Web, but the helpful boon has turned into a hindering bane for Skype users. For at least two months, hackers have known -- and presumably been using -- a flaw in Skype's password recovery tool that allowed anyone to easily take control of any account if they know its associated email address.

The Next Web successfully managed to recreate the exploit, which was first published on a Russian forum. After performing a few simple steps and a sending a password reset token request to the Skype app itself rather than the owner's inbox, the website was able to seize control of its editor's Skype account within minutes. TNW successfully repeated the vulnerability with several other accounts.

Fortunately, Skype and Microsoft leaped right on top of the vulnerability after The Next Web shined a light on the issue. Shortly after the article aired, Skype sent out the following statement:

We have had reports of a new security vulnerability issue. As a precautionary step we have temporarily disabled password reset as we continue to investigate the issue further. We apologize for the inconvenience but user experience and safety is our first priority.

The headache comes at a bad time for the communication service, which recently rolled out a new Skype for Windows 8 app as well as a Windows Phone 8 preview.

Update 1:52 P.M. EST: Well, that was fast. Skype just reached out to let us know that the vulnerability has been fixed and the service's password reset options are up and running once again. Read the brief details here.

Recommended by Outbrain
Add a comment
1 comment
  • Tifini Says:

    Thanks for the article. We all need to be more proactive about our personal account security. In my opinion if they had Two-Factor authentication available this would not be a problem. Maybe now since Microsoft bought a 2FA company they will start offering 2FA in more of their products giving us the option to telesign into our account with a text message with a specific code to be entered into the system.

Back to top