Essentially, the oversight allowed people to create a new Skype ID, and associate it with the email address of the intended victim. Then, attackers could simply use the online password reset form to get new credentials, hijack the account and gain the ability to read and respond to all messages meant for the original user.
Microsoft disabled the password reset earlier today after becoming aware of the issue. “We suspended the password reset feature temporarily this morning as a precaution and have made updates to the password reset process today so that it is now working properly,” it said in a blog. “We are reaching out to a small number of users who may have been impacted to assist as necessary. Skype is committed to providing a safe and secure communications experience to our users and we apologize for the inconvenience.”
But Rik Ferguson, researcher at Trend Micro, noted that abuse of the vulnerability has been widespread, affecting many users from his own contact list. And no wonder: knowledge of the issue has been circulating for months.
“Proof of concept for the issue was posted in a Russian forum about three months ago and the original poster posted again on a different site just yesterday that the vulnerability was still not fixed,” he said in his blog. "Before the access to reset passwords was disabled, the only way to protect yourself was to register an entirely separate and secret email address for use with your Skype account. This is not only security by obscurity, it could theoretically leave you more open to attacks as you are less likely to investigate regularly the inbox of such little-used addresses.”
The attack vector was so simple that even computer novices could take advantage of it, making for far-ranging ramifications. The issue may be resolved but the takeaway message of vigilance is important. “Moral of the story? Even information which you are used to handing out to anyone can be used against you, there is no such thing as too much privacy,” said Ferguson.
Skype unfortunately has a record when it comes to unfixed vulnerabilities. One flaw that allowed hackers to track the location of Skype users went 18 months before being patched.