A serious Skype vulnerability got leaked today which allows hijacking of an user’s Skype account just by knowing his email address associated with the Skype account.
How to avoid hijacking:
- log in on skype.com (if you still can, that is)
- go to the profile, click Edit and add an email address an attacker won’t guess. (Or firstname.lastname@example.org if you’re using Gmail)
- click Save
- click Edit again, set the new address as Primary
- click Save, have a laugh at the message, enter the password and click the Enter button or it won’t work (like one bug was not enough)
- delete the old email
Update: Microsoft Skype has taken down its password reset page which allowed the vulnerability and it will restore it after the investigation is done to protect users.
Update 2: Now fully fixed.
Skype’s Chaim Haas Senior Vice President, Technology, Emerging Media & Digital Strategy, has written us to let us know that The Skype Password Vulnerability issue has already been resolved and the password reset process has been updated so that it now works properly.