We are reaching out to a small number of users who may have been impacted to assist as necessary. We suspended the password reset feature temporarily this morning as a precaution and have made updates to the password reset process today so that it is now working properly. This issue affected some users where multiple Skype accounts were registered to the same email address. "Early this morning we were notified of user concerns surrounding the security of the password reset feature on our website. Update: At 15:28 GMT, Skype said it had resolved the issue. For instance, earlier this year it was accused of being slow to fix a flaw that could allow the gathering of information from Skype users, including a victim’s city, country, internet provider and IP address. Microsoft-owned Skype has made the headlines for security reasons in the past. We apologize for the inconvenience but user experience and safety is our first priority"īefore Skype withdrew the ability for users to reset their passwords, the only protection for users was to change the email address connected with their Skype account to one which was not known by anybody else. As a precautionary step we have temporarily disabled password reset as we continue to investigate the issue further. "We have had reports of a new security vulnerability issue. Skype has responded to the reports by temporarily disabling password resets for Skype accounts, and published a brief advisory to users: The issue was reportedly documented on Russian forums months ago, and appears to have been easy to exploit. Unfortunately, because this method enables you to get a password reset token sent to the Skype app itself, this allows a third party to redeem it and claim ownership of your original username and thus account."
When you use an existing email address to sign up with Skype again, the service emails you a reminder of your username, which is okay, since no one else should have access to your email. "The reason this works is simple, but it's still worrying. The Next Web describes how it managed to reproduce the attack, accessing the Skype accounts of staff by just knowing their email address, and then changing the passwords of their “victims” to lock them out. A serious security problem has been uncovered in Skype, which allows hackers to hijack accounts just by knowing users’ email addresses.
0 kommentar(er)
