View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Data Centre
November 14, 2012

UPDATED: Skype fixes password reset vulnerability

Huge security fail could see attackers take over user's account

By Steve Evans

Skype has moved to disable a huge security hole in its system that could let attackers take control of Skype accounts with just the user’s email address.

Update: The issue has been fixed, according to Skype. See the update at the end of this article.

The vulnerability was first revealed on a Russian blog a couple of months back but has just been brought to wider attention, after the author said the hole had still not been plugged despite Microsoft knowing of the issue.

The security hole means that all an attacker has to do is know the address of a victim. Armed with that information the attacker can set up a second account, and request a password reset. Once the password is changed the original user is locked out of their account. Tech blog The Next Web has tested the vulnerability and confirmed it does work.

CBR has removed a number of vital steps an attacker would need to take in order to take control of an account.

Skype told CBR in a statement that it is aware of the reports and is investigating them. "We have had reports of a new security vulnerability issue. As a precautionary step we have temporarily disabled password reset as we continue to investigate the issue further. We apologise for the inconvenience but user experience and safety is our first priority," the statement said.

Rik Ferguson, director of security research at Trend Micro, told CBR the security vulnerability "simply should not have happened."

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

"If an account which is already registered with a service, any service, tries to re-register then there should be a mandatory authentication stage before that secondary registration is allowed to continue. In this case would mean logging in with your Skype credentials before being able to request further Skype IDs."

Even changing the primary email address associated with an account, which has been suggested as a temporary fix, will not completely solve the problem, Ferguson added.

"Before the access to reset passwords was disabled, the only way to protect yourself was to register an entirely separate and secret e-mail address for use with your Skype account," he said. "This is not only security by obscurity, it could theoretically leave you more open to attacks as you are less likely to investigate regularly the inbox of such little-used addresses."

VoIP calling service Skype was acquired by Microsoft in May 2011 for $8.5bn.


Update: The company says it has fixed the issue and the password reset function is working properly. Only a small number of users were affected, the statement said.

"Early this morning we were notified of user concerns surrounding the security of the password reset feature on our website. This issue affected some users where multiple Skype accounts were registered to the same email address," the statement said.

"We suspended the password reset feature temporarily this morning as a precaution and have made updates to the password reset process today so that it is now working properly," Skype added. "We are reaching out to a small number of users who may have been impacted to assist as necessary."

The company also apologised for the inconvenience the issue caused.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.