For over two months, there has existed a large security hole in video chatting and messaging service Skype. Until today, hackers could break into any Skype account with only the target’s email address.
Popular Website The Next Web first found mention of the flaw on Russian forums and have been able to replicate it on their own. The Next Web said it was shocking just how easy it was to break into one another’s accounts.
According to The Next Web, all they needed was the email address associated with the target’s account. With this email address in hand, a hacker could simply sign up for a new account with the target’s email address. After a few more “key steps,” the hacker could request a password change, thereby locking out the target from every account associated with that email address. Users could catch these hackers and prevent them from changing their passwords, but only if they acted very quickly. Once the hacker is in the account, they have access to the target’s user name, as well as their address book and contacts. Once the hacker changes the password for the account, these targets are then effectively locked out of their account.
Skype acknowledged the flaw this morning and said they were working to fix it.
“Early this morning we were notified of user concerns surrounding the security of the password reset feature on our website. This issue affected some users where multiple Skype accounts were registered to the same email address. We suspended the password reset feature temporarily this morning as a precaution and have made updates to the password reset process today so that it is now working properly,” said Skype in a statement to The Next Web.
Skype has also said they’ll be working with those users who were affected by the flaw.
Later in the day, Skype issued a new statement saying they had permanently fixed the security flaw. However, any Skype user concerned that their account may still be compromised is encouraged to change their email address associated with their account to a lesser-known, less frequently used address.
To change your email address, login to Skype. Then, click on the “Profile” link under the “account Details” heading, then scroll down to find “Contact Details.” From here, click “Add Email Address.” Add your new, relatively secret email address, then scroll to the bottom and click “Save.” Once this new email address is entered, scroll to the bottom once more and click “Edit.” Find your new email address and choose “Set As Primary Email” to set this address as the address associated with your account.
According to TG Daily, the Russian hackers who found this exploit warned Skype about it months ago. Yet, the company refused to make moves to fix the flaw until today.