Skype vulnerability may have exposed your messages

Microsoft sat by for months before plugging a security hole that could have allowed others to see all your stored Skype data

Microsoft just plugged a gaping security hole in Skype by disabling password resets. But until a few hours ago, if someone had both your Skype username and the email address associated with your account, they could go in and look at all of your old Skype data -- including the contents of any messages you recently sent or received. 

Two months ago a Russian site, Xeksec, posted detailed exploit instructions. Today Emil Protalinski at The Next Web reproduced the exploit. After confirming that he could break into others' Skype accounts, he notified Microsoft and, after a few hours, tossed up a red flag on TNW's website. Several hours later, Microsoft responded by pulling down the Skype password reset site that holds the key to the hack.

As exploits go, it's incredibly simple. If you know a person's Skype name and can guess the email address associated with that name, you're basically in. As Protalinksi explains it:

When you use an existing email address to sign up with Skype again, the service emails you a reminder of your username, which is okay, since no one else should have access to your email. Unfortunately, because this method enables you to get a password reset token sent to the Skype app itself, this allows a third party to redeem it and claim ownership of your original username and thus account.

Until Microsoft yanked the password reset site, anyone who knew your Skype username and the associated email address could log in to your account, change the password, and -- most distressing -- take a look at any stored information, including IMs sent or received in your messaging history.

Microsoft announced last week that it's phasing out Windows Live Messenger and folding the features and contacts into Skype. Tony Bates, president of Microsoft's Skype division, put it this way:

We've got good news to share! Skype and Messenger are coming together. Millions of Messenger users will be able to reach their Messenger friends on Skype. By updating to Skype, Messenger users can instant message and video call their Messenger friends... We will retire Messenger in all countries worldwide in the first quarter of 2013 (with the exception of mainland China where Messenger will continue to be available).

According to Protalinski, the Russian hackers reported the security hole to Microsoft. Apparently nobody inside Microsoft found it interesting enough to pursue until Protalinkski reproduced -- and publicized -- the results earlier today.

Skype just posted official recognition of the problem:

We have had reports of a new security vulnerability issue. As a precautionary step we have temporarily disabled password reset as we continue to investigate the issue further. We apologize for the inconvenience but user experience and safety is our first priority.


This story, "Skype vulnerability may have exposed your messages," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow on Twitter.

Copyright © 2012 IDG Communications, Inc.