Skype account hijack exploit finally closed
Microsoft (NASDAQ: MSFT) has finally closed a security vulnerability that allows a hacker to hijack a victim's Skype account. The original instructions were posted some two months back, and reposted mid-week here with a note that the problem still exists.
The new post was widely reported by various online sites, forcing Microsoft to temporarily disable password resets as it scrambled to fix the vulnerability. The hole was closed and the password reset service was subsequently enabled hours later.
Rik Ferguson, director of security research and communication at Trend Micro, described the problem as "child's play" to exploit, noting that even the most "inexperienced" of computer users could do it. Following the published steps will lock the legitimate user out of the Skype account, allowing the hacker to receive and send messages destined for the victim.
He wrote: "All that was necessary was to create a new Skype ID, and associate it with the email address of your victim. Once this procedure is complete, a flaw in the password reset procedure allowed the attacker to assume control over the victim's account by using the online password reset form."
Microsoft has received criticism for the security flaw, as well as the length of time that the flaw has being actively exploited. As Microsoft positions Skype for use in business, it will have to gain back the trust of customers by showing that it can address any lingering security issues in Skype, which it acquired last year.
- check out this article at InformationWeek