Security Corner

Nov 24 2012   1:48PM GMT

Serious Skype security flaw uncovered, then fixed

Ken Harthun Ken Harthun Profile: Ken Harthun

A serious security flaw in Microsoft-owned Skype allowed hackers to hijack accounts just by knowing the user’s email addresses. Details from this article at TechCrunch:

Skype faced a fairly serious security threat today [Nov. 14, 2012], thanks to a flaw in the system replicated by The Next Web that allowed people to sign up with email addresses already in use by other users and then force password resets for any accounts associated with those emails. Reset tokens could be delivered to the Skype client itself, meaning people didn’t need access to email accounts to reset passwords associated with them.

Very shortly after The Next Web notified Microsoft, the issue was fixed.

The flaw was actually more of a design issue than a security hole, according to Steve Gibson of Security Now! He discussed this flaw in Security Now! Episode #378:

Microsoft shut down the vulnerability, the aspect of vulnerability, which was password recovery. They took that part offline immediately, then looked at the problem, understood it, fixed it, and then brought password recovery back. So that’s what I mean by this being a design problem. As soon as someone told them, they’re like, oh, my god. And so it was easy to fix.

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: