UPDATE – Skype engineers have repaired a newly reported vulnerability that would allow someone to abuse the platform’s password-reset mechanism to take over another account.
“We suspended the password reset feature temporarily this morning as a precaution and have made updates to the password reset process today so that it is not working properly. We are reaching out to a small number of users who may have been impacted to assist as necessary,” said Leonas Sendrauskas, a Skype Web QA engineer based in Estonia, in a prepared statement. Customers are automatically protected and do not need to take any action.
The vulnerability has been circulating on Russian forums for more than two months and according to posts there, accounts can be taken over in a handful of steps. The hack, however, became public this morning when it was posted on Reddit.
Experts were recommending anyone change a public, or well-known email address tied to their Skype accounts. An attacker would need only to know a potential victim’s email address to hijack an account. A weakness in the password reset system allowed an attacker to create a new Skype account with an existing email address tied to a current Skype account. After requesting a password reset, a password token is sent to the application. An attacker in a couple of steps could use that token as their own and would have access to the victim’s account, user name, text and conversation history and more.
Microsoft, which acquired Skype last year for $8.5 billion, suspended all password resets until the vulnerability was addressed. This comes at an inopportune time for Microsoft which has been asking users of Windows Live Messenger to link that application to their Skype accounts, logging users into both simultaneously. Microsoft is expected to end support for Windows Live Messenger next year.
Users have had to contend with a number of Skype security issues this year. In October, the Dorkbot worm circulated among Skype users, many of whom were tricked into opening a malicious .zip file that opened a backdoor and unleashed the worm. A new feature locked down some computers, demanding $200 in ransom within 48 hours.
In July, a privacy issue surfaced for Skype users using the app’s instant messaging function. If the Skype client crashed during an IM chat, the last message sent was sometimes delivered to the wrong contact. The vulnerability was discovered in Skype for Windows, Mac, Linux and several mobile platforms.
This bug came the heels of another vulnerability that was exposing users’ IP addresses, a flaw that Skype was informed about in November 2010. The flaw was deeply embedded in the code and a difficult fix, engineers said.
This article was updated Nov. 14 to include information that the Skype vulnerability was repaired and password resets were available again.