Skype has just fixed a Skype security flaw that may have been circulating on Russian hacker forums for months. The flaw made it possible for anyone to change a user's password with only the victim's email address.
"[We] made updates to the password-reset process today so that it is now working properly," Skype said in a statement posted today (Nov. 14). "We are reaching out to a small number of users who may have been impacted to assist as necessary."
It's not clear when Skype, which was bought out by Microsoft last year, first learned about the flaw. But the video- and voice-chat service took down its password reset page, temporarily mitigating the threat as the software company worked toward a more permanent solution.
"We have had reports of a new security vulnerability issue," Skype said in an earlier version of its statement. "As a precautionary step we have temporarily disabled password reset as we continue to investigate the issue further."
But that solution meant that any infrequent Skype user who may have forgotten his password would have been locked out for several hours.
Before the fix, the only way a user could protect himself would have been by changing his account's primary email address to one that only he knew.
Password panic
Exploiting the vulnerability would begin by registering a new Skype account with the victim's known email address. If that email account was already linked to an existing account, a message reading "you already have a Skype account" would appear, but the attacker would still be able to create a new account linked to the old email address.
After that, there would be two different Skype accounts, with two different passwords, connected to a single email address. But by using the login credentials he'd just created, the attacker would be able to access the password-reset pages for both accounts and create a reset token that would apply to any account with that primary email address.
The password-reset token would be sent to the victim's email account, to which the attacker presumably wouldn't have access. But it would also show up on the Skype application, to which he would. A link would display in the Skype application, and clicking it would bring up a Web browser with the password reset page.
"You've got more than one Skype Name," the page would say. "Please choose which one you want to change the password for."
Once the attacker changed the password, it would be curtains for the victim — almost. A victim who thought like a hacker could theoretically use the same trick to recapture his account, but if the thief had removed the victim's original email address from both accounts, the victim would be out of luck.
Sloppy security
The flaws that made this exploit possible begin with the registration. New users should not be able to register new accounts with an email address that's already being used.
If a user with one account wants to create a second account using the same email address, he should be either logged in or asked for his password. Some authentication ought to be required.
The second fault lies in the password-reset process. In the recent flawed configuration, no authentication was needed to reset the Skype password — not an old password, security question or even access to another secure account like an email address.
Although a notification and token are sent to the primary email address holder, sending the token to the Skype application makes passwords an exercise in futility. Anyone with access to an open desktop running Skype could change the victim's password with nothing more than an Internet connection.
The details of Skype's solution remain unclear.
The exploit left users vulnerable to a number of threats, including the theft of chat logs, contact information, payment details used to purchase Skype credits and the credits themselves. Attackers could further propagate scams by impersonating a victim in order to glean private details from contacts or simply stir up trouble.
Victims of this exploit should alert their Skype contacts not to trust communications coming from their account and should get in touch with Skype immediately.
Follow Ben on Twitter.