A Skype security flaw could allow rogue users to seize control of your account using nothing more than your email address, thanks to subpar recovery policies that can be easily gamed. The exploit depends on Skype’s policy of reminding new sign-ups of any existing usernames they have previously registered, when they attempt to re-register using the same email address. According to The Next Web, with a minor amount of tinkering, it’s possible to reset another user’s password and thus grab hold of their account.
Although a signed-in user will be able to see when somebody else attempts the hack, they would need to react fast in order to actually prevent themselves from being locked out. If they were not logged in at the time, or not paying sufficient attention, then they could have their Skype credentials usurped – along with any credit on that account – without them even realizing it had happened.
Skype is apparently conducting an “internal investigation” into the loophole, though for now there’s no official comment on when it might be closed off. The hack was first reported on a Russian forum roughly two months ago, it’s said, with the person responsible for discovering the exploit claiming to have told Skype about it with no apparent change in recovery security.
For the moment, the best advice is to change your registered email in the Skype settings to something that might not be associated with your account. That reduces the likelihood, though we’ll need to see a change in how accounts are handled by Skype itself before the hack is closed down for good.
Update: More complete instructions for the workaround can be found here, courtesy of Reddit:
Log in on skype.com
Go to the profile, click Edit and add an email address an attacker won’t guess. (Or firstname.lastname@example.org if you’re using Gmail)
Click Edit again, set the new address as Primary
Click Save, enter the password and click the Enter button
Delete the old email
Update 2: Skype has given us the following statement:
“We have had reports of a new security vulnerability issue. As a precautionary step we have temporarily disabled password reset as we continue to investigate the issue further. We apologise for the inconvenience but user experience and safety is our first priority”