Microsoft plugs Skype email security hole that let people steal your account


Microsoft has blocked a major Skype security hole that allowed anyone to access your account with only your email address. The only problem now is that it shouldn’t have existed in the first place.

First posted on a Russian forum some months ago – but apparently ignored by Microsoft until today – the security flaw worked like this: Someone creates a new Skype account with your email address, the one associated with your Skype account. In doing so, this person now has the ability to reset the password of both the new account and your actual account, thus gaining access while also blocking you out.

The security flaw percolated to the surface earlier today on Reddit, and was later recreated by writers at The Next Web, who successfully gained access to the Skype accounts of two other TNW employees. Microsoft responded quickly by shutting down the password reset page entirely.

“We have had reports of a new security vulnerability issue,” wrote engineer Leonas Sendrauskas on the Skype security blog. “As a precautionary step we have temporarily disabled password reset as we continue to investigate the issue further. We apologize for the inconvenience but user experience and safety is our first priority.”

The problem here is that “user experience” and “safety” are diametrically opposed goals. Skype made the user experience of resetting a password less of a hassle by allowing a person to do so with only an email address. But clearly this was not a safe way to do things.

As avoidable as this whole debacle is, we feel for Skype, and every other online system that requires a login: Achieving a balance between user experience and safety is extremely difficult. Imposing meaningful online security means putting roadblocks in the way of people who are trying to use your service. Creating an easy user experience often means ditching security precautions. No matter which way you go, something has to give.

Regardless, it may still be a good idea to beef up your Skype security while Microsoft investigates a fix. The only way to do this is change the email address associated with your Skype account to something nobody else knows (which probably means creating an entirely new email account). Once you’ve done that, simply login (assuming you still can), go to Profile > Edit > add new email address. Click Save. Then go to Edit again, and set the new email address as your primary email, then save again. Then enter your password and click the Enter button. Then go back and delete the previous email.

How’s that for user experience?

Update 11 a.m. ET: Skype has released an “updated statement” on the security issue. It reads as follows:

“Early this morning we were notified of user concerns surrounding the security of the password reset feature on our website. This issue affected some users where multiple Skype accounts were registered to the same email address. We suspended the password reset feature temporarily this morning as a precaution and have made updates to the password reset process today so that it is now working properly. We are reaching out to a small number of users who may have been impacted to assist as necessary. Skype is committed to providing a safe and secure communications experience to our users and we apologize for the inconvenience.”


Exclusive: The Surface Hub 2S will revolutionize work. Here’s how it was made

Exclusive interviews with the designers, futurists, and visionaries behind the Surface Hub 2 paint a dramatic picture of how Microsoft thinks collaboration will change your office.

The best MP3 players of 2018 cram tons of music into a small package

Want to go for a run, but your phone is weighing you down? Don't sweat it. Can't fit your whole music library on your smartphone? No worries. Check out our list of the best MP3 players, and find one that works for you.

How to sync and troubleshoot your PS4's DualShock 4 controllers

Sony's Bluetooth-enabled DualShock 4 controllers for PlayStation 4 are some of the best on the market, but connection issues aren't unheard of. Here's how to sync them to your console.
Smart Home

From the kitchen to the bedroom, here are the best Alexa tips and tricks

Amazon's voice assistant Alexa has plenty of neat skills. So many, in fact, it seems like new ones appear every day. We've rounded up the top Echo tips and tricks to help you get the most out of your virtual assistant.
Social Media

Facebook’s tributes section serves as an online memorial for deceased users

Death doesn't stop Facebook users from sharing memories, and now those memorialized posts have a dedicated spot on the network. Facebook Tribute is a section on memorialized profiles for users to write posts and share memories.
Social Media

How to protect yourself from GoFundMe scams before donating

Can you spot a GoFundMe scam? While the fundraising platform says scams make up less than a tenth of one percent of campaigns, some do try to take advantages of others' charity -- like a case last year that made national news.

House votes to restore net neutrality rules, but effort faces long odds

The U.S. House of Representatives has approved the Save the Internet Act, a measure intended to restore net neutrality rules that were repealed in 2017 by the Federal Communications Commission.

Search all of Craigslist at once with these great tools on web and mobile

Not finding what you need in your local area? Craigslist can be great for finding goods and services from further afield too. All you need do is learn these tips for how to search all of Craigslist at once.

The FCC and White House want to bring high-speed internet to rural areas

The FCC and the White House unveiled new initiatives to bring high-speed internet to rural areas, including $20.4 billion in incentives to companies to build infrastructure. The FCC also announced ways to speed up the rollout of 5G.

Internet Explorer zero-day exploit makes files vulnerable to hacks on Windows PCs

Evidence of an Internet Explorer zero-day exploit capable of letting hackers steal files from Windows PCs was published online by a security researcher who also claims Microsoft knew of the vulnerability and opted not to patch it.

Buying airline tickets too early is no longer a costly mistake, study suggests

When you book can play a big role in the cost of airline tickets -- so when is the best time to book flights? Earlier than you'd think, a new study suggests. Data from CheapAir.com suggests the window of time to buy at the best prices is…

Report says 20% of all 2018 web traffic came from bad bots

Distil Networks published its annual Bad Bot Report this week and announced that 20% of all web traffic in 2018 came from bad bots. The report had other similarly surprising findings regarding the state of bots as well.

Google Chrome will get a Reader Mode for distraction-free desktop browsing

If Google's testing of Reader Mode on the Chrome Canary desktop browser is successful, soon all Chrome users will gain access to this feature. Reader Mode strips away irrelevant content on a webpage for distraction-free browsing.

Worried about your online privacy? We tested the best VPN services

Browsing the web can be less secure than most users would hope. If that concerns you, a virtual private network — aka a VPN — is a decent solution. Check out a few of the best VPN services on the market.