Skype Temporarily Suspends Password Reset After Account Hijacking Security Hole Found

Skype temporarily removed the page that enables users to reset their password after a security hole was found that enables someone to take control of another user's account. After making changes to the password reset feature, Skype turned the page live again.

The issue was first documented on a Russian forum two months ago. To take advantage of the flaw, all a user had to do was create a new Skype account using the same email address as the intended victim. After proceeding through the signup process and ignoring the warning that an account with that email already exists, a person could use the reset password request form to reset the password for all accounts associated with the registered email address. In turn, this would lock out the original account owner.

Skype has documented the issue and reported it as resolved on its website:

Early this morning we were notified of user concerns surrounding the security of the password reset feature on our website. This issue affected some users where multiple Skype accounts were registered to the same email address. We suspended the password reset feature temporarily this morning as a precaution and have made updates to the password reset process today so that it is now working properly. We are reaching out to a small number of users who may have been impacted to assist as necessary. Skype is committed to providing a safe and secure communications experience to our users and we apologize for the inconvenience.

Tags:  security, Skype