Skype acts late after flaw lets anyone hack accounts
By Stewart Mitchell
Posted on 14 Nov 2012 at 14:50
Skype has blocked a security flaw that made it alarmingly simple to break into user accounts.
The password reset function flaw within the VoIP software meant anyone could take over an account simply by knowing a potential victim's email address.
The weakness was explained on a Russian website, which said it had warned Skype of the issue three months ago.
According to the post, all a would-be attacker needed to do was create a new Skype account using the victim's email address. Once the account was created, the two were automatically linked via the email address, and the password could be reset, locking the real account holder out.
In essence the procedure is so simple it could be carried out by even the most inexperienced of computer users
Although the target would get a notification of the password change, there would be little they could to to stop the attack before it was too late.
The most worrying aspect of the flaw was that it was initially reported three months ago, and could be replicated by anyone with no hacking knowledge.
"In essence the procedure is so simple it could be carried out by even the most inexperienced of computer users," said Rik Ferguson, director of security research and communication at Trend Micro, in a blog post.
Skype said it had since taken the password reset function offline and was investigating further.
"We have had reports of a new security vulnerability issue," the company said. "As a precautionary step we have temporarily disabled password reset as we continue to investigate the issue further. We apologise for the inconvenience but user experience and safety is our first priority."
- Flickr redesign: is it enough to tempt photographers back?
- Hands on with the new Google Maps
- Nokia Lumia 925 review: first look
- Why I won't subscribe to Creative Cloud
- GoPro camera strapped to a remote-control helicopter: the ultimate boy's toy
- Acer Iconia A1 review: first look
- Acer Aspire P3 review: first look
- Acer Aspire R7 review: first look
- How we produce the PC Pro podcast
- Google Now draining iPhone battery
- Yes, I write down my passwords
- How to deal with a ransomware attack
- How secure is your Wi-Fi network?
- How QR codes caught out the security pros
- Why I do not trust Do Not Track... yet
- The hard disks you can "secure" with a single-digit password
- Why I've started using a password manager
- Time to kill off CAPTCHA
- Are today's young people Generation I (for insecure)?
- Ransomware that's better made than antivirus software