Hours after reports about a major security hole in Skype’s password reset process surfaced in major media outlets, the VoIP service provider fixed the flaw. The vulnerability which let the hacking of Skype accounts simply through a password request token was first noted by a Russian blog two months ago. Yesterday, the story was picked by The Next Web and major media outlets followed.
The vulnerability in the Skype password reset process made all the users prawn to account hijacking. All that a hacker needed to know was the email address used to create the account. The next steps were easy to reproduce. The hacker had to open another user account using the same email address and send a password reset request. The password reset token delivered in return can then be used to gain access to the target account and lock the original user out.
Skype team was quick to respond once it was notified about the issue. The team temporarily suspended the password reset feature and made updates in the password reset process. The password reset process is reported to working properly now.
“We are reaching out to a small number of users who may have been impacted to assist as necessary. Skype is committed to providing a safe and secure communications experience to our users and we apologize for the inconvenience,” the Skype team said.