Microsoft plugs Skype email security hole that let people steal your account


Microsoft has blocked a major Skype security hole that allowed anyone to access your account with only your email address. The only problem now is that it shouldn’t have existed in the first place.

First posted on a Russian forum some months ago – but apparently ignored by Microsoft until today – the security flaw worked like this: Someone creates a new Skype account with your email address, the one associated with your Skype account. In doing so, this person now has the ability to reset the password of both the new account and your actual account, thus gaining access while also blocking you out.

The security flaw percolated to the surface earlier today on Reddit, and was later recreated by writers at The Next Web, who successfully gained access to the Skype accounts of two other TNW employees. Microsoft responded quickly by shutting down the password reset page entirely.

“We have had reports of a new security vulnerability issue,” wrote engineer Leonas Sendrauskas on the Skype security blog. “As a precautionary step we have temporarily disabled password reset as we continue to investigate the issue further. We apologize for the inconvenience but user experience and safety is our first priority.”

The problem here is that “user experience” and “safety” are diametrically opposed goals. Skype made the user experience of resetting a password less of a hassle by allowing a person to do so with only an email address. But clearly this was not a safe way to do things.

As avoidable as this whole debacle is, we feel for Skype, and every other online system that requires a login: Achieving a balance between user experience and safety is extremely difficult. Imposing meaningful online security means putting roadblocks in the way of people who are trying to use your service. Creating an easy user experience often means ditching security precautions. No matter which way you go, something has to give.

Regardless, it may still be a good idea to beef up your Skype security while Microsoft investigates a fix. The only way to do this is change the email address associated with your Skype account to something nobody else knows (which probably means creating an entirely new email account). Once you’ve done that, simply login (assuming you still can), go to Profile > Edit > add new email address. Click Save. Then go to Edit again, and set the new email address as your primary email, then save again. Then enter your password and click the Enter button. Then go back and delete the previous email.

How’s that for user experience?

Update 11 a.m. ET: Skype has released an “updated statement” on the security issue. It reads as follows:

“Early this morning we were notified of user concerns surrounding the security of the password reset feature on our website. This issue affected some users where multiple Skype accounts were registered to the same email address. We suspended the password reset feature temporarily this morning as a precaution and have made updates to the password reset process today so that it is now working properly. We are reaching out to a small number of users who may have been impacted to assist as necessary. Skype is committed to providing a safe and secure communications experience to our users and we apologize for the inconvenience.”


These are the worst passwords of 2018. Is yours on this list?

Do you use a bad password that makes your online accounts easy to break into? SplashData has compiled a list of the top 100 worst passwords for 2018 and there are quite a few listings that were carryovers from prior lists.

Lost your router? Here's how to find its IP address to help track it down

Changing the login information for your router isn't always easy, that's why so many have that little card on the back. But in order to use it, you need to know where to go. Here's how to find the IP address of your router.

Want to share your Xbox One games? Here's how to do it

Sharing games on modern consoles is possible, but it takes a few steps. Here's how to start sharing games on your Xbox One console, so friends and family can easily access your library.

Is your PC slow? Here's how to restore Windows 10 to factory settings

Computers rarely work as well after they accumulate files and misconfigure settings. Thankfully, with this guide, you'll be able to restore your PC to its original state by learning how to factory reset Windows.

From beautiful to downright weird, check out these great dual monitor wallpapers

Multitasking with two monitors doesn't necessarily mean you need to split your screens with two separate wallpapers. From beautiful to downright weird, here are our top sites for finding the best dual monitor wallpapers for you.

Google Translate updated to reduce gender bias in its translations

Google is changing how Google Translate offers translations. Previously when you entered a word like doctor, Translate would offer a masculine interpretation of the word. Now, Translate will offer both masculine and feminine versions.

Encryption-busting law passed in Australia may have global privacy implications

Controversial laws have been passed in Australia which oblige tech companies to allow the police to access encrypted messages, undermining the privacy of encryption with potentially global effects.

Can Microsoft’s Airband Initiative close broadband gap for 25M Americans?

A new report from the Federal Communications Commission (FCC) says that 25 million Americans do not have access to broadband internet. Of these, more than 19 million are living in rural communities. Can Microsoft help out?

Microsoft’s Chromium Edge browser may be adding your Chrome extensions

Fans sticking to Google Chrome because due to its vast extension library might be able to switch over to Microsoft's latest iteration of Edge, as a project manager confirms that the company has its eyes on Chrome extensions.

If you've lost a software key, these handy tools can find it for you

Missing product keys getting you down? We've chosen some of the best software license and product key finders in existence, so you can locate and document your precious keys on your Windows or MacOS machine.

Google+ continues to sink with a second massive data breach. Abandon ship now

Google+ was scheduled to shut its doors in August 2019, but the second security breach in only a few months has caused the company to move its plan forward a few months. It might be a good idea to delete your account sooner than later.
Social Media

‘YouTube Rewind 2018’ is about to become its most disliked video ever

YouTube is about to achieve a record it really doesn't want — that of "most-disliked video." Yes, its annual recap of featuring popular YouTubers has gone down really badly this year.

Want to save a webpage as a PDF? Just follow these steps

Need to quickly save and share a webpage? The best way is to learn how to save a webpage as a PDF file, as they're fully featured and can handle images and text with ease. Here's how.

5G: Why everything is about to change

Curious about the many ways 5G will change and enrich your life? Here’s our guide to all things 5G.