Wednesday, November 14, 2012

Skype Quickly Fixes Password Reset Vulnerability

Skype has moved rather quickly to mitigate a recently publicized flaw in the way the service handled password reset requests that allowed would be hackers easy access to a users Skype account.

A security vulnerability that has been verified by Skype earlier today, allowed someone to gain easy access to almost any Skype account simply by knowing their current email address. They could then use the same e-mail address as that of the intended victim to create a duplicate account and use the password reset form to reset the password for all accounts associated with that address, thereby locking out the original account owner from Skype.

As a preventative measure, Skype took quick action temporarily disabling its password reset page. However according to its latest blog post the company has already managed to resolve the security hole not long after verifying the flaw:
Early this morning we were notified of user concerns surrounding the security of the password reset feature on our website. This issue affected some users where multiple Skype accounts were registered to the same email address. We suspended the password reset feature temporarily this morning as a precaution and have made updates to the password reset process today so that it is now working properly. We are reaching out to a small number of users who may have been impacted to assist as necessary. Skype is committed to providing a safe and secure communications experience to our users and we apologize for the inconvenience.
So far there have been no reports of any kind indicating that Skype users would need to change their current passwords. But those that might be concerned can now do so using the password reset page accessible from their account profile.

No comments:

Post a Comment

All comments will be moderate for content, please be patient as your comment will appear as soon as it has been reviewed.

Thank you