Skype plugs gaping security hole allowing account hijacks

Skype accounts have been easily hijackable for the past two months through a simple password reset request, it was revealed overnight.

Ivan Koldaev of Pixus.ru explained on his blog that all an attacker needed was knowledge of a Skype user's email address and request a password reset via the application itself.

Once Skype provides a password token, the attacker asks for a temporary code link.

By using the temporary link in a browser, an attacker can reset the password to the Skype user in question's account, and gain full access to it.

Koldaev notes the process is quick, taking less than a minute and requires only six easy steps to complete.

Skype password reset screen

Details of the exploit were shared on Russian forums on the Internet and via social bookmarking site Reddit but the flaw appears to have been known since August this year, according to Hacker News which posted a transcript discussing similar issues with Skype support staff.

Skype said overnight it had plugged the security hole after The Next Web alerted the company to it, by suspending the password reset feature, and updating it to ensure it works properly.

The Next Web tested the flaw and was able to hijack multiple Skype accounts belonging to staffers. It was possible perform the attack quickly, in approximately two minutes, and The Next Web said it could be automated.

Skype has acknowledged the flaw and noted some users have been compromised in a statement posted to its blog.

"Early this morning we were notified of user concerns surrounding the security of the password reset feature on our website. This issue affected some users where multiple Skype accounts were registered to the same email address.

"We suspended the password reset feature temporarily this morning as a precaution and have made updates to the password reset process today so that it is now working properly.

"We are reaching out to a small number of users who may have been impacted to assist as necessary.

"Skype is committed to providing a safe and secure communications experience to our users and we apologise for the inconvenience," Skype's Leonas Sendrauskas wrote.