Microsoft plugs Skype email security hole that let people steal your account


Microsoft has blocked a major Skype security hole that allowed anyone to access your account with only your email address. The only problem now is that it shouldn’t have existed in the first place.

First posted on a Russian forum some months ago – but apparently ignored by Microsoft until today – the security flaw worked like this: Someone creates a new Skype account with your email address, the one associated with your Skype account. In doing so, this person now has the ability to reset the password of both the new account and your actual account, thus gaining access while also blocking you out.

The security flaw percolated to the surface earlier today on Reddit, and was later recreated by writers at The Next Web, who successfully gained access to the Skype accounts of two other TNW employees. Microsoft responded quickly by shutting down the password reset page entirely.

“We have had reports of a new security vulnerability issue,” wrote engineer Leonas Sendrauskas on the Skype security blog. “As a precautionary step we have temporarily disabled password reset as we continue to investigate the issue further. We apologize for the inconvenience but user experience and safety is our first priority.”

The problem here is that “user experience” and “safety” are diametrically opposed goals. Skype made the user experience of resetting a password less of a hassle by allowing a person to do so with only an email address. But clearly this was not a safe way to do things.

As avoidable as this whole debacle is, we feel for Skype, and every other online system that requires a login: Achieving a balance between user experience and safety is extremely difficult. Imposing meaningful online security means putting roadblocks in the way of people who are trying to use your service. Creating an easy user experience often means ditching security precautions. No matter which way you go, something has to give.

Regardless, it may still be a good idea to beef up your Skype security while Microsoft investigates a fix. The only way to do this is change the email address associated with your Skype account to something nobody else knows (which probably means creating an entirely new email account). Once you’ve done that, simply login (assuming you still can), go to Profile > Edit > add new email address. Click Save. Then go to Edit again, and set the new email address as your primary email, then save again. Then enter your password and click the Enter button. Then go back and delete the previous email.

How’s that for user experience?

Update 11 a.m. ET: Skype has released an “updated statement” on the security issue. It reads as follows:

“Early this morning we were notified of user concerns surrounding the security of the password reset feature on our website. This issue affected some users where multiple Skype accounts were registered to the same email address. We suspended the password reset feature temporarily this morning as a precaution and have made updates to the password reset process today so that it is now working properly. We are reaching out to a small number of users who may have been impacted to assist as necessary. Skype is committed to providing a safe and secure communications experience to our users and we apologize for the inconvenience.”