http://heartbeat.skype.com/2012/11/security_issue.html
[UPDATE:14/11/2012@15:28GMT]
Early this morning we were notified of user concerns surrounding the security of the password reset feature on our website. This issue affected some users where multiple Skype accounts were registered to the same email address. We suspended the password reset feature temporarily this morning as a precaution and have made updates to the password reset process today so that it is now working properly. We are reaching out to a small number of users who may have been impacted to assist as necessary. Skype is committed to providing a safe and secure communications experience to our users and we apologize for the inconvenience.
*****************
This story is breaking all over net now, I like Sophos Naked Security's article the best http://nakedsecurity.sophos.com/2012/11/14/skype-security-hijack/
They refer to this article http://thenextweb.com/microsoft/2012/11/14/security-hole-allows-anyone-to-hijack-your-skype-account-using-only-your-email-address/
Supposedly this has been used in the wild for months, evidently posted about on Russian forums that long ago.
Official Skype statement from http://heartbeat.skype.com/2012/11/security_issue.html:
We have had reports of a new security vulnerability issue. As a precautionary step we have temporarily disabled password reset as we continue to investigate the issue further. We apologize for the inconvenience but user experience and safety is our first priority
Don't have any other details to provide at the moment.
No comments:
Post a Comment