It can sometimes be difficult to balance out ease of use with security. Software companies and online services can be under pressure to make the user experience as smooth as possible, even for potentially risky services like password resets, which saves the company money on tech support and help costs. Unfortunately, rounding off corners can also create gaps in security. A security hole was found in Skype‘s password reset procedure that could have allowed anyone who knows your email address to “hack” into your Skype account, and only gained attention after the vulnerability was posted on Reddit.
The issue was caused by a flaw in Skype’s password reset scheme, which allows password reset tokens to be activated through Skype instead of through the original account email. All you needed to do was sign up for a new Skype account with the victim’s email address–despite the notification that the email is already associated with a Skype account, log in to Skype, and request a password reset of the account. Since your Skype account is already associated with the victim’s email address, the notification token would appear inside your Skype window instead of just the victim’s inbox. You can then use this security token to reset the password of the victim’s Skype account.
You don’t have to worry about this vulnerability unless you’ve already seen a password reset notification from Skype in your email inbox. Skype disabled the password reset this morning and has reportedly fixed the underlying issue–indeed, comments from would-be account crackers seem to confirm that the exploit no longer works. For some users, it may be too late as the vulnerability was known and disclosed through Russian forums for at least three months before being widely recognized.
Have you lost your Skype account to a digital break-in? Share your thoughts in the comments section below.