A number of hours after The Next Web revealed a flaw in the way Skype handled password resets, allowing third-parties to hijack accounts using just an email address, Skype has said that it has now fixed the issue. The company has confirmed it first mitigated the issue, but has now updated its password reset process so that it doesn’t send tokens to the client. We have confirmed ourselves that this flaw has been fixed.
In its statement to TNW, Skype explains:
Early this morning we were notified of user concerns surrounding the security of the password reset feature on our website. This issue affected some users where multiple Skype accounts were registered to the same email address. We suspended the password reset feature temporarily this morning as a precaution and have made updates to the password reset process today so that it is now working properly.
We are reaching out to a small number of users who may have been impacted to assist as necessary. Skype is committed to providing a safe and secure communications experience to our users and we apologize for the inconvenience.
What Skype is essentially saying here is that while this flaw was indeed available for a while (we first spotted the issue on a Russian forum dating two months back), the company was able to fix it quickly enough before the exploit could be used against a large number of accounts. The statement could be read as if the issue only affected certain Skype accounts, which is false: the flaw affected all accounts.
Here at TNW, we managed to use the security hole to hijack multiple Skype logins belonging to staff members (with their permission, of course). Skype says it will be getting in touch with those it detected as being affected to make sure they are aware their accounts were hijacked.
The whole process took roughly two minutes, and it could be automated in a way to hijack multiple accounts in quick succession. The fact that Skype worked quickly to fix this flaw is important: the company now only has to worry about contacting those affected in the last little while, from two months ago when this was first discovered, to the hours last night where the world took notice and many tried to replicate the issue.