November 14, 2012
Major vulnerability in Skype password reset
A major vulnerability in Skype's password reset feature allowed any malicious user to hijack i.e. change account password of any other user just by knowing his/her email address. The issue is said to have existed for two months now and hackers also notified Skype of the problem. After waiting for long enough, they decided to post the vulnerability online after which the exploit went viral appearing on several blogs where authors explained how one can hijack other's accounts. Authors also recommended Skype users to change their primary email address to something less public in order to minimize the risk.
Right now Skype has temporarily disabled password reset page. A permanent fix is expected soon, waiting for official words on this critical issue.
Update: Folks at Skype have tweeted and put up a blog post addressing the issue, apologizing for the trouble and also assured that necessary fix has been implemented and that users need not worry.
Official: http:// heartbeat.skype.com/2012/11/security_issue.html
ReplyDelete