Skype has disabled its password reset capability after a serious security threat was revealed which allowed anyone to take control of an account using its email address.
The method was reportedly known about months ago on Russian internet forums but has only been spotted by the Microsoft-owned company after users of the Reddit social networking site highlighted the issue.
The hack worked using Skype's password reset feature which delivered a password reset token to the email address tied to the user's account.
The hijacker could then access the reset email via the Skype app using a bogus account linked to the original account.
Skype hides a user's credit card details and has security checks to prevent fraud if an account is hijacked this way. However, all pre-existing calling credit stored on the account is vulnerable.
The security flaw was first reported on the internet blog, The Next Web, before it was passed onto Skype.
"We reproduced the attack, step-by-step, and managed to access the Skype accounts of TNW writer (with permission) Josh Ong (as well as editor Matt Brian to verify again) with only their email addresses," said a reporter on the blog.
"Having done all that, I could see my username for Josh's account, and Josh's username (for the first time - note, I had no idea what it was until this point) for his account, as well as change the password for whichever I pleased. I changed Josh's, locking him out of the account and letting me in. Since I did this before Josh could, and he would have to be watching his email account 'like a hawk' (his words, not mine) to beat me, I essentially gained exclusive access to his account. He couldn't log back in until I gave him the new password."
Skype, which has a registered user base of over 600 million people said the security flaw only affected a "small" number of users who it thinks may have been hacked in this way.
In a statement it said, "Early this morning we were notified of user concerns surrounding the security of the password reset feature on our website. This issue affected some users where multiple Skype accounts were registered to the same email address. We suspended the password reset feature temporarily this morning as a precaution and have made updates to the password reset process today so that it is now working properly."
"We are reaching out to a small number of users who may have been impacted to assist as necessary. Skype is committed to providing a safe and secure communications experience to our users and we apologise for the inconvenience," it added.
Skype was bought by Microsoft for $8.5bn last year and has since become central to the company's plans in the mobile communications space.
Earlier this week, the company launched an updated version of the program designed to be integrated with its Windows 8 operating system. The new program is designed to work seamlessly between all Windows devices, including smartphones, tablets and desktop PCs and Microsoft says it will eventually entirely replace its Windows Live Messenger internet messaging service in the new year.
© Copyright 2024 Mobile & Apps, All rights reserved. Do not reproduce without permission.