Skype temporarily disabled its password reset capability while engineers investigated a security issue through which hackers could use password reset to take over the accounts of other users. The issue was resolved around 7:30 AM PT.
According to various accounts, the attacker would sign up for a new account using an email address already in use. A pop-up would indicate that the account already exists, but it was apparently possible to proceed with the new account setup, regardless. The attacker could then log in to that account and request a password change. The Skype client would then receive a password change notification that would need to be confirmed by clicking on the attached link, and the process would be complete.
"In essence the procedure is so simple it could be carried out by even the most inexperienced of computer users," wrote Rik Ferguson, director of security research at Trend Micro, in his blog post. "This would lock the victim out of their Skype account and allow the hacker to receive and respond to all messages destined for that victim until further notice. I tested the vulnerability and the entire process took only a matter of minutes."
The enabling factor would be knowledge of the victim’s email address by the attacker. Therefore, much of the dialogue around preventing the attack has advised users to change their corresponding email address to ones that are not widely known.
The flaw has reportedly been a topic in Russian chat rooms for the past two months but gained higher profile this week with higher levels of awareness in the United States and other Western countries.
This exploit is the latest in a number of Skype-related security issues this year. Previous attacks include a Dorkbot worm that was enabled through a backdoor that was delivered through a zip file. In addition, an instant messaging exploit was widely reported during the summer. A third exploit involved the exposure of IP addresses.
PUBLISHED NOV. 14, 2012