Microsoft has been promoting the integration of Skype into its new Windows 8 system but earlier it hit a setback when a security flaw was found. Skype has had had to suspend its password reset function after it emerged that the option could be used to hijack accounts of users using the service.
The vulnerability was first discussed on a Russian blog around three months ago but Microsoft only tackled the issue after details of the flaw were discussed on Reddit. The issue could have potentially exposed answer phone messages, old text conversations and even user details such as date of birth.
Skype is looking into the problem as Skype engineers Leonas Sendrauskas wrote
“We have had reports of a new security vulnerability issue,”
He added, “As a precautionary step we have temporarily disabled password reset as we continue to investigate the issue further. We apologise for the inconvenience but user experience and safety is our first priority.”Â
A guide on how to conduct the flaw was first shared on a Russian forum by the name of Xeksec. It involves using a victims Skype email address to create a new account that is also linked to an email account owned by the attacker. If a password is changed using the targets user name, the hijacker can get access to the resulting password reset token via the actual Skype app using the newly created log in.
This can then be used to make sure that the original owners are locked out of the account and the hijacker can get access toÂ account details. Skype blanks all but the last four digits of credit card numbers so credit card data is not at risk but the hackers may have used up remaining account credit.
Did this flaw affect you? Why did Microsoft take so long to notice? Comment below or on our Facebook page.[schema type=”product” url=”http://www.skype.com/” name=”Skype” description=”Skype is a proprietary voice-over-Internet Protocol (VoIP) service and software application which is owned by Microsoft.” manfu=”Microsoft” ]