Skip to main content

New Skype security vulnerability found

A serious new security weakness has been discovered in the popular video-calling service Skype.

The vulnerability allows anybody to reset a Skype password and then gain sole control of the corresponding account.

To begin the process, a hijacker simply needs to sign up for a new Skype account with the email address of an existing Skype user. This prompts Skype into warning that the email address is already associated with an account - but it still allows the new account to be opened.

After this, a password change for the original account can be requested by the offending party, and received through the Skype app. The attacker can then use this and gain full access to the account, and all of the information stored within it.

Skype has issued the following statement regarding the potential breach: "We have had reports of a new security vulnerability issue. As a precautionary step we have temporarily disabled password reset as we continue to investigate the issue further. We apologise for the inconvenience but user experience and safety is our first priority."

Costin Raiu, a senior security researcher at Kaspersky Labs, last night took to Twitter to announce that the issue had been exploited in the hacking of the Skype account of Alexey Navalny, a Russian politician.

The weakness was originally identified on a Russian blog three months ago, but only really came into the public eye after it was posted on Reddit earlier today. The security hole has been tested and confirmed by The Next Web.

Security concerns frequently threaten to undermine Skype's success - back in October 2012, Skype users were attacked by the Dorkbot ransomware.

Skype recently unveiled two new pieces of software, Skype 6.0 for Windows and Mac desktop environments, and also a preview version of its new Windows Phone 8 app.

There has been no mention of the new vulnerability relating to a specific platform as yet.