Skype recently patched a vulnerability that made it easy for attackers to hijack user accounts.
"Details of the vulnerability were first published in August on an online Russian-language hacking forum," writes InformationWeek's Mathew J. Schwartz. "Tuesday, the same Russian hacking forum user posted an update, reporting that the flaw still hadn't been fixed. That finally led Skype Wednesday to acknowledge the security vulnerability and begin working on a fix."
"An attacker would need only to know a potential victim’s email address to hijack an account," writes Threatpost's Michael Mimoso. "A weakness in the password reset system allowed an attacker to create a new Skype account with an existing email address tied to a current Skype account. After requesting a password reset, a password token is sent to the application. An attacker in a couple of steps could use that token as their own and would have access to the victim’s account, user name, text and conversation history and more."
"We suspended the password reset feature temporarily this morning as a precaution and have made updates to the password reset process today so that it is now working properly," Skype's Leonas Sendrauskas wrote in a Wednesday blog post. "We are reaching out to a small number of users who may have been impacted to assist as necessary. Skype is committed to providing a safe and secure communications experience to our users and we apologize for the inconvenience."
"The Russian hackers who discovered the exploit say they warned Skype some time ago, but the company took no action," writes TG Daily's Emma Woollacott. "It's not the first time that Skype's been accused of dragging its heels over a security fix, most notably when it took 18 months to repair a hole that revealed users' IP addresses and other data earlier this year."