Skype investigating account theft vulnerability - Update 2
Microsoft-owned VoIP service provider Skype has taken its password reset mechanism offline following a report from The Next Web about a security vulnerability that apparently allowed anyone to take over a Skype account of their choice. According to the report, an attacker with knowledge of the email address associated with a Skype account could take complete control of that account by changing the password.
The vulnerability was first disclosed on a Russian security forum and The Next Web says it was able to reproduce the exploit. Skype has said that it is currently investigating the issue and has disabled the password reset functionality for its service as a precaution while the investigation is ongoing.
The email address for the target account was reportedly first used to extract the associated Skype name from the service. The attacker would then create another Skype username for the target email address and use it to request and redeem a password reset token, locking the legitimate user out of their account. Both The Next Web and the original discoverer of the vulnerability say they have disclosed the problem to Skype and Microsoft.
Since Skype has now disabled the password recovery functionality, the security hole cannot currently be exploited. It remains to be seen whether, once the company has concluded its investigation, the vulnerability is closed with an update to the Skype client itself or to the service's backend servers.
Update 14-11-12 14:33: The H's associates at heise Security were able to confirm the security vulnerability before Skype disabled its password reset system. Using a newly created Skype name with the target's email address, they were able to request a password reset token which was sent by email and as a chat message to the new Skype account. Using this, they were able to reset the target account's password without having access to its original email address.
Dmitry Chestnykh, who originally found the bug that later let to the discovery of the vulnerability, has now presented a chat log that supposedly proves that he contacted Skype support with details of the problem back in August. If this information proves to be correct, Skype's password reset mechanism was vulnerable for several months until the company disabled it as part of its investigation.
Update 14-11-12 16:25: Skype has now updated its statement on the security issue to say that it has amended its password reset process so that it should now work properly. The company goes on to say that it believes only "a small number of users" may have been affected by the security problem and these users are being contacted and offered assistance.