Microsoft Subnet An independent Microsoft community View more

Better check your Skype password after hack is exposed

Microsoft is forced to pull password reset function due to a vulnerability that could allow an account to be hacked.

Better double-check your Skype account. Microsoft fixed the password reset function for Skype after a vulnerability came to light that allowed hackers to hijack accounts using just their victim's email address.

RELATED: Skype blocks password resets after trivial account hijacking flaw made public

The flaw would allow an attacker to reset the password of any Skype user, so they could change the password and lock the victim out completely. The reset function was down for a few hours but Microsoft has fixed the problem.

To exploit the vulnerability, all attackers needed to know was the email address tied to their victim's Skype account to persuade the Microsoft-owned service to provide a password reset token to given them access.

The hack was first revealed on a Russian-language forum two months ago, according to an article on The Next Web. TNW then did its own test and verified the exploit.

Essentially, the exploit allowed the user to create a new account with the stolen email address. Skype sends password reminders to both the account holder's email address and the Skype app itself. That was the exploit. A third-party could intercept the reset password message and reset the password on their own.

The ugly details can be found on Hacker News.

Join the discussion
Be the first to comment on this article. Our Commenting Policies