- V3 Apps
Skype has begun investigating reports of a critical flaw that allowed attackers to hijack control of some users' account.
News of the vulnerability broke on Tuesday evening, though Skype only admitted it was aware of the issue on Wednesday.
"We have had reports of a new security vulnerability issue. As a precautionary step we have temporarily disabled password reset as we continue to investigate the issue further," Skype said in a statement.
"We apologise for the inconvenience but user experience and safety is our first priority."
The vulnerability allowed third parties to gain control of a Skype user's account using the service's password reset feature.
"The way it worked was that you would create a new Skype account with the same email as your target - say, firstname.lastname@example.org," explained F-Secure security chief Mikko Hypponen.
"Then you would issue a password reset request for the account you just created. Skype would then prompt you to pick which account you would like to reset and then the attacker would select the Skype name of the target and his Skype password would be reset - easy."
Hypponen said that disabling the reset service should be enough to stop hackers exploiting the vulnerability.
"Microsoft has now disabled the password reset link on skype.com, so the vulnerability doesn't not seem to be there anymore," Hypponen told V3.
The exploit's discovery follows an increase in criminal's interest in the chat service. Prior to it security firm Trend Micro discovered the dorkbot ransomware targeting the Skype users.