Microsoft has temporarily suspended password-resetting capabilities for its Skype service while it investigates a report that says it is vulnerable to account-takeover attacks that are trivial to carry out.

The vulnerability “affected some users where multiple Skype accounts were registered to the same e-mail address,” and company officials have contacted “a small number of users who may have been impacted to assist as necessary,” a post published on Wednesday to the Skype status blog said. The officials didn’t say how many people were affected or when the reset feature would be restored.

The update followed a report published to a Russian-language user forum (Google translation here) that claimed Skype users were vulnerable to easily performed account-takeover attacks. All that was required, according to the post, was knowledge of the e-mail address of the victim. Attackers could then register for a new account using the same address. Once logged in to the new account in the Skype client, attackers activated the password-reset feature and waited for the client to display instructions for resetting the passcode.

Read 3 remaining paragraphs | Comments

via Ars Technica » Technology Lab http://feeds.arstechnica.com/~r/arstechnica/technology-lab/~3/1327Obd_JIw/

Advertisements