Thursday, April 27, 2017
Home / Security / Exploits / Skype patches password reset exploit

Skype patches password reset exploit

A simple-exploit password reset exposure in Skype was patched by Microsoft on Wednesday morning.  Points about the fault initially appeared on a Russian forum two months ago, but went viral early Wednesday after Reddit.com and additional sites reposted details about the security issue, which could allow essentially anyone who knows a Skype user’s email address to reset their account password and access their account.

On Wednesday, Chaim Haas, a Skype spokesman, emailed SCMagazine confirming that the password reset vulnerability had been resolved.

Kurt Baumgartner, senior security researcher at Kaspersky Lab, had mentioned SCMagazine.com in an e-mail that the Skype security release was a “rare” flaw, seeing how easily it could be exploited.

“The problem was very poor design for the password reset process,” he said. “This sort of thing doesn’t happen that often anymore on major services. I would call it a rare flaw.

The only details an attacker would require is a few minutes of time, a small amount of knowledge about the victim, and an email account, he added.

“A similar sort of mistake, but somewhat more difficult to exploit, was the recent Google [SSL] certificate spoof,” he said. “These holes are rare, but they exist.”

About FastFlux

Owner of ZeroSecurity, interested in programming, malware analysis and penetration testing. If you would like to write for the ZeroSecurity team, please use the contact form above.

Check Also

Amazon hacked – hacker leaks 80,000 login credentials

A hacker going by the name 0x2Taylor has said to have breached the servers of …