Skype patches password reset vulnerability

Skype has fixed a vulnerability in its Voice-over-IP (VoIP) service that allowed hackers to take over accounts using the password reset feature.

Skype has fixed a vulnerability in its Voice-over-IP (VoIP) service that allowed hackers to take over accounts using the password reset feature.

 
Leonas Sendrauskas, an engineer at Skype, said that the company was notified of the problem earlier today. It temporarily suspended the password reset while it made an update to fix the security hole.
 
However, the problem has existed for months, with one Russian website, Xeksec, featuring a guide on how to exploit the vulnerability. When the bug finally gained notoriety on Reddit Skype took notice.
 
 Skype patches password reset vulnerability
Skype for Windows 8
 
All a hacker had to do was create a new Skype account with the email address of an existing member. A password reset request with the original Skype user's username would then result in the hacker being able to access the reset token directly through the Skype app using the newly-created account.
 
The hacker would then be able to see the user's details and spend any credit the user had on their account. Credit card details are also stored, though only the last four letters are shown, but a hacker can avail of the automatic top-up option for when credit is low, potentially leaving a hacked user with a hefty bill.
 
Skype said it is contacting anyone affected by the vulnerability to assist them in regaining access to their accounts. Presumably it will refund any credit that is fraudulently spent, given the problem was not user security but a gaping hole in Skype's own defences.
 
With Microsoft planning to ditch Windows Live Messenger for Skype, monumental security failings like this one won't make that transition any easier.
 
Source: BBC