Skype acts late after flaw lets anyone hack accounts

 

Gallery

By Stewart Mitchell

Posted on 14 Nov 2012 at 14:50

Skype has blocked a security flaw that made it alarmingly simple to break into user accounts.

The password reset function flaw within the VoIP software meant anyone could take over an account simply by knowing a potential victim's email address.

The weakness was explained on a Russian website, which said it had warned Skype of the issue three months ago.

According to the post, all a would-be attacker needed to do was create a new Skype account using the victim's email address. Once the account was created, the two were automatically linked via the email address, and the password could be reset, locking the real account holder out.

In essence the procedure is so simple it could be carried out by even the most inexperienced of computer users

Although the target would get a notification of the password change, there would be little they could to to stop the attack before it was too late.

The most worrying aspect of the flaw was that it was initially reported three months ago, and could be replicated by anyone with no hacking knowledge.

"In essence the procedure is so simple it could be carried out by even the most inexperienced of computer users," said Rik Ferguson, director of security research and communication at Trend Micro, in a blog post.

Skype said it had since taken the password reset function offline and was investigating further.

"We have had reports of a new security vulnerability issue," the company said. "As a precautionary step we have temporarily disabled password reset as we continue to investigate the issue further. We apologise for the inconvenience but user experience and safety is our first priority."