(LiveHacking.Com) – The last 36 hours have been a bit manic for Microsoft’s Skype business. A vulnerability, that was discovered three months ago, went public when its details were shared on news discussion site Reddit. The flaw allowed malicious users to reset the password for any account without having access to the target account’s email address. Skype’s first move was to disable the password reset function.
To exploit the flaw a new user account needs to be created using an email address that’s already associated with an existing Skype user. If a password change is then requested using the target’s username the ”Password token” notification also appears in the Skype client. Clicking a “more info” button for this notification provided the attacker with the password reset link. Visiting the password reset link led to a page on the Skype website that allows for the password to be changed. There is no need for the attacker to have access to the target’s email account.
Dmitry Chestnykh, who is credited with originally finding the bug, has posted a record of a chat conversation with Skype Live Support where he points out to them that he received a Welcome email for a Skype account he didn’t create. It was Skype’s failure to verify email addresses that led to the discovery of the password reset vulnerability. The chat log is from August and if this is true it means that Skype’s password reset mechanism was vulnerable for several months.
After suspending the password reset service, Skype issued a statement in which it said, “This issue affected some users where multiple Skype accounts were registered to the same email address. We suspended the password reset feature temporarily this morning as a precaution.” It then worked to fix the flaw and said it has made “updates to the password reset process today so that it is now working properly.”
Skype says that it believes only “a small number of users” may have been affected by the security vulnerability and that it is reaching out to users who may have been impacted to assist as necessary. It also offered the mandatory we care about security statement, “Skype is committed to providing a safe and secure communications experience to our users and we apologize for the inconvenience.”