Skype fixes account hijacking vulnerability

Skype fixes account hijacking vulnerability

Summary: Skype has fixed a severe vulnerability that made it possible to hijack a Skype account using only the email address associated with it.

SHARE:
TOPICS: Security
1

Skype has fixed an exploit that made it possible to take over Skype accounts.

The vulnerability was revealed on a blog on Wednesday and let anyone take over a Skype account as long as they knew its email address.

"The only thing you need to obtain full access to any Skype account is primary email of that account (the email which used when the skype account been registered)," a post which appeared on the pixus.ru blog on Wednesday morning said. The post detailed the fault and gave step-by-step instructions for using the exploit.

The exploit involves six steps and gave people the ability to login to accounts that were not theirs, then change the password - enabling them to hijack the account. 

"Early this morning we were notified of user concerns surrounding the security of the password reset feature on our website. This issue affected some users where multiple Skype accounts were registered to the same email address," Skype said in a statement."We suspended the password reset feature temporarily this morning as a precaution and have made updates to the password reset process today so that it is now working properly."

The Microsoft-owned company said it was "reaching out to a small number of users" who could have been affected by the exploit. 

"Skype is committed to providing a safe and secure communications experience to our users and we apologise for the inconvenience," it added.

Skype said it will provide more information on the vulnerability in the next couple of days.

Topic: Security

Jack Clark

About Jack Clark

Currently a reporter for ZDNet UK, I previously worked as a technology researcher and reporter for a London-based news agency.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

1 comment
Log in or register to join the discussion
  • And these guys aren't even the worst

    And Skype didn't even force you to use an E-mail address as your user ID, which some embarrassingly large and famous companies do. That's a blunder that disregards user security, convenience, and common sense: http://goldmanosi.blogspot.com/2012/06/forcing-people-to-use-e-mail-address-as.html
    Oscar Goldman