A simple-exploit password reset exposure in Skype was patched by Microsoft on Wednesday morning. Points about the fault initially appeared on a Russian forum two months ago, but went viral early Wednesday after Reddit.com and additional sites reposted details about the security issue, which could allow essentially anyone who knows a Skype user’s email address to reset their account password and access their account.
On Wednesday, Chaim Haas, a Skype spokesman, emailed SCMagazine confirming that the password reset vulnerability had been resolved.
Kurt Baumgartner, senior security researcher at Kaspersky Lab, had mentioned SCMagazine.com in an e-mail that the Skype security release was a “rare” flaw, seeing how easily it could be exploited.
“The problem was very poor design for the password reset process,” he said. “This sort of thing doesn’t happen that often anymore on major services. I would call it a rare flaw.
The only details an attacker would require is a few minutes of time, a small amount of knowledge about the victim, and an email account, he added.
“A similar sort of mistake, but somewhat more difficult to exploit, was the recent Google [SSL] certificate spoof,” he said. “These holes are rare, but they exist.”
