*UPDATED* Microsoft disable Skype password reset after security flaw is uncovered
UPDATED 16:18 GMT:
We’ve just received the following statement from Skype:
“Early this morning we were notified of user concerns surrounding the security of the password reset feature on our website. This issue affected some users where multiple Skype accounts were registered to the same email address. We suspended the password reset feature temporarily this morning as a precaution and have made updates to the password reset process today so that it is now working properly. We are reaching out to a small number of users who may have been impacted to assist as necessary. Skype is committed to providing a safe and secure communications experience to our users and we apologise for the inconvenience.”
The original story follows:
Russian hackers have uncovered a security flaw in Microsoft’s Skype video calling service that allows unsavory web users to easily gain control of a user’s account.
The issue rests with Skype’s password reset procedures. Exploiting the flaw, a hacker merely needs a user’s username and email address that Skype is registered to in order to kick-off a five-step process to gain control of the account.
Though we wont post details of the hack here, we’ve independently verified that it indeed works. Both The Verge and The Next Web have also verified the hack.
It’s an incredibly simple hack, but does rely upon your email address being common knowledge. If it isn’t, you’re safe, and if it is, you should probably go about changing the address your account is registered to.
As a precaution while they look into the problem, Microsoft have temporarily disabled Skype’s password reset controls. Skype have also released the following statement.
“We have had reports of a new security vulnerability issue. As a precautionary step we have temporarily disabled password reset as we continue to investigate the issue further. We apologize for the inconvenience but user experience and safety is our first priority”
Via: The Next Web