Skype tackles hack vulnerability that put accounts at risk

Skype has tackled a password reset flaw which could be exploited to hijack the video chat service’s accounts.

The vulnerability was discussed on a Russian blog about three months ago, but was only tackled after details were shared on news discussion site Reddit.

The issue could have exposed answerphone messages, old text message conversations and user details including date of birth.

Skype said it had now resolved the issue.

“Early this morning we were notified of user concerns surrounding the security of the password reset feature on our website,” said engineer Leonas Sendrauskas.

“This issue affected some users where multiple Skype accounts were registered to the same email address.

“We suspended the password reset feature temporarily this morning as a precaution and have made updates to the password reset process today so that it is now working properly.

“We are reaching out to a small number of users who may have been impacted to assist as necessary. Skype is committed to providing a safe and secure communications experience to our users and we apologise for the inconvenience.”

Easy-to-use attack

A how-to-guide was first shared on Russian forum Xeksec.

It involves using a victim’s Skype-registered email address to create a new account which is also linked to an email account owned by the attacker.

If a password change is then requested using the target’s username, the hijacker can access the resulting reset token via the Skype app itself using the newly-created bogus log-in.

This can then be used to lock out the account’s owner and access their details.

Skype blanks all but the last four digits of stored credit card accounts preventing the hackers from being able to steal cash, however they could have used up spare credit.

The security hole was confirmed by The Next Web which subsequently brought it to Skype’s attention.

It follows on from a revelation last month that the program could be used to distribute malware via its instant message tool.

The news comes amid a campaign by Microsoft to convince members of its Windows Live Messenger chat tool to switch to Skype.

It plans to retire WLM by March 2013 across the world, with the exception of China.

Credit: CNN