Skype has moved to disable a huge security hole in its system that could let attackers take control of Skype accounts with just the user’s email address.
Update: The issue has been fixed, according to Skype. See the update at the end of this article.
The vulnerability was first revealed on a Russian blog a couple of months back but has just been brought to wider attention, after the author said the hole had still not been plugged despite Microsoft knowing of the issue.
The security hole means that all an attacker has to do is know the address of a victim. Armed with that information the attacker can set up a second account, and request a password reset. Once the password is changed the original user is locked out of their account. Tech blog The Next Web has tested the vulnerability and confirmed it does work.
CBR has removed a number of vital steps an attacker would need to take in order to take control of an account.
Skype told CBR in a statement that it is aware of the reports and is investigating them. "We have had reports of a new security vulnerability issue. As a precautionary step we have temporarily disabled password reset as we continue to investigate the issue further. We apologise for the inconvenience but user experience and safety is our first priority," the statement said.
Rik Ferguson, director of security research at Trend Micro, told CBR the security vulnerability "simply should not have happened."
"If an account which is already registered with a service, any service, tries to re-register then there should be a mandatory authentication stage before that secondary registration is allowed to continue. In this case would mean logging in with your Skype credentials before being able to request further Skype IDs."
Even changing the primary email address associated with an account, which has been suggested as a temporary fix, will not completely solve the problem, Ferguson added.
"Before the access to reset passwords was disabled, the only way to protect yourself was to register an entirely separate and secret e-mail address for use with your Skype account," he said. "This is not only security by obscurity, it could theoretically leave you more open to attacks as you are less likely to investigate regularly the inbox of such little-used addresses."
VoIP calling service Skype was acquired by Microsoft in May 2011 for $8.5bn.
Update: The company says it has fixed the issue and the password reset function is working properly. Only a small number of users were affected, the statement said.
"Early this morning we were notified of user concerns surrounding the security of the password reset feature on our website. This issue affected some users where multiple Skype accounts were registered to the same email address," the statement said.
"We suspended the password reset feature temporarily this morning as a precaution and have made updates to the password reset process today so that it is now working properly," Skype added. "We are reaching out to a small number of users who may have been impacted to assist as necessary."
The company also apologised for the inconvenience the issue caused.