Today an extremely dangerous vulnerability on skype has been posted on a Russian forum .
The vulnerabilty seems to allow to an attacker to change the password of Skype’s victims just knownig his/her email address!
This is the post seen on the forum:
Here’s the original link where I’ve read about this (in Russian) – http://habrahabr.ru/post/158545 /
with multiple people in the comments confirming it works and also reporting their accounts were stolen.
Here’s how it works:
Sign up for a new Skype account. Use the victim’s email. A warning will come up that an account with that email already exists, but you can still proceed with filling out the form and account creation.
Log in to the Skype client with your new account.
https://login.skype.com/account/password-reset-request – request a password reset using the victim’s email.
You will get a password reset notification and token in your skype client. Follow the link to pick the victim’s account and reset the password.
It appears the only way to safeguard yourself for now is to change your main Skype account email to one that’s not publicly known.
Here you can find a step-by-step guide with all the details of the vulnerability!
Actually skype seems to be fixing this BIG issue because is not allowing anymore to change password from their website.
A redirect from:
https://login.skype.com/account/password-reset-request
to:
https://secure.skype.com/portal/overview
has been set and at this time (11.00 AM 14/11/2012 BST) this doesn’t allow users to get their lost password anymore..
Update: Skype shared the following statement:
“We have had reports of a new security vulnerability issue. As a precautionary step we have temporarily disabled password reset as we continue to investigate the issue further. We apologize for the inconvenience but user experience and safety is our first priority”
The post Skype Vulnerability – Hack any account just knowing the email address appeared first on .
