updated 08:19 am EST, Wed November 14, 2012
Password reset token core to two-month-old flaw
A security hole in Skype's account management has been discovered by Russian hackers. Posted on a forum two months ago, the flaw revolves around the password reset function and requires the user's e-mail address to accomplish, and finishes with the hacker gaining control of the Skype account while locking the legitimate user out.
Tested and verified by The Next Web, the method requires the hacker to create a new account with the target's e-mail address, then after performing some changes, the password can be reset using the password reset token without accessing the user's e-mail account. Since this allows anyone to effectively create a new account for an e-mail and then switch to the target username.
Considering the fact that Microsoft is integrating Skype into the Microsoft Account system, this could be a potentially damaging issue to users of Windows 8, with the system preferring users to sign in with it instead of a local account.
Microsoft has temporarily disabled the password reset function for Skype while it works on a solution.