The Next Web is reporting that a security hole in Skype’s password recovery tool means that your account can be hacked using just your email address and username.
A team of Russian hackers discovered the flaw and posted details online. Since, The Next Web has confirmed that the technique works. The five-step hack uses some nimble tricks to allow a password reset to be intercepted. The Next Web explains:
The reason this works is simple, but it’s still worrying. When you use an existing email address to sign up with Skype again, the service emails you a reminder of your username, which is OK, since no one else should have access to your email. Unfortunately, because this method enables you to get a password reset token sent to the Skype app itself, this allows a third party to redeem it and claim ownership of your original username and thus account.
Voila — account hacked. In theory, this means that anyone who knows your email address and Skype username could hack your account should they wish. Currently, then, the only way to avoid the hack would be to register your Skype account with an entirely private email address. Chances are, however, that won’t stay the case for long: Microsoft told The Next Web that it is currently conducting an internal investigation into the problem. [The Next Web via The Verge]
Update: Skype has issued the following statement, explaining that you should be safe for now:
We have had reports of a new security vulnerability issue. As a precautionary step we have temporarily disabled password reset as we continue to investigate the issue further. We apologise for the inconvenience but user experience and safety is our first priority