The previous policy allowed folks to sign up a new account, with an email address of an account that is already in use. After signing in, it was then possible to force reset passwords for accounts linked to that particular email address. The password reset tokens were then sent through the Skype client, which meant hackers wouldn’t need access to the email address in question in order to hijack a Skype account.
This is discouraging news indeed folks!
The vulnerability has actually been around for a while; it was originally posted in a Russian web forum with detailed instructions on how to reproduce the hack. The Next Web found the instructions and took the opportunity to test out the security flaw, and unfortunately, they were successful. Next Web posted information about the security threat on their site and brought it to the attention of Skype and Microsoft, luckily before anyone could be severely harmed.
Microsoft and Skype took action immediately by halting the password reset procedure until the issue could be fixed. Later, Skype issued a statement to TNW implying that the security flaw only affected a small number of users –this was clearly proven to be a false claim as the vulnerability affected all Skype accounts.
As we’ve mentioned above, the proper fix has been implemented, and Skype accounts are now safe and secure again, at least for a little while. We can all go back to making faces and mooning people over the internet now.
Hopefully in the future, Microsoft and Skype will pay a little more attention when an issue like this pops up.
On a side note: I can’t help but feel like this all went down in an overly dramatic fashion. What say you fellow readers?
Source: The Next Web