Skype immediately dealt with a security issue that rendered its users vulnerable to an unsophisticated attack that takes over accounts.
On Wednesday, Reddit user turisto submitted a post on the social news site that included an English-translated Russian security alert about a working procedure to take over a Skype account with the victim’s email address.
The vulnerability bore on for several months but went into mainstream media after the post on Reddit. All it involved is a couple of simple steps.
The original post reads,
Here’s how it works:
- Sign up for a new Skype account. Use the victim’s email. A warning will come up that an account with that email already exists, but you can still proceed with filling out the form and account creation.
- Log in to the Skype client with your new account.
- https://login.skype.com/account/password-reset-request - request a password reset using the victim’s email.
- You will get a password reset notification and token in your skype client. Follow the link to pick the victim’s account and reset the password.
It appears the only way to safeguard yourself for now is to change your main Skype account email to one that’s not publicly known.
Reddit user virtulis then provided steps on how to stop the attack.
Howto avoid hijacking:
- log in on skype.com (if you still can, that is)
- go to the profile, click Edit and add an email address an attacker won’t guess. (Or email@example.com if you’re using Gmail)
- click Save
- click Edit again, set the new address as Primary
- click Save, have a laugh at the message, enter the password and click the Enter button or it won’t work (like one bug was not enough)
- delete the old email
After users brought this to attention, Skype reacted quickly and disabled its in-app password reset feature, which blocks an attacker from taking over a Skype account. Users who forgot or lost their passwords had to wait for future announcements.
“Early this morning we were notified of user concerns surrounding the security of the password reset feature on our website. This issue affected some users where multiple Skype accounts were registered to the same email address. We suspended the password reset feature temporarily this morning as a precaution and have made updates to the password reset process today so that it is now working properly. We are reaching out to a small number of users who may have been impacted to assist as necessary. Skype is committed to providing a safe and secure communications experience to our users and we apologize for the inconvenience,” posted Skype’s Leonas Sendrauskas in its updated blog post.