- V3 Apps
Skype said it has addressed a security flaw which had left users vulnerable to account thefts and forced the company to suspend its recovery service.
The company said that the flaw, which came to light Wednesday and was reportedly uncovered by a Russian security researcher several months ago, is now resolved and users can once again request password recoveries.
The vulnerability had allowed an attacker to take over control of an account by simply discovering the target's email address. While Skype has not disclosed how many accounts were compromised, the company said that only a "small number" of users who had multiple accounts on the same email address were affected.
"We suspended the password reset feature temporarily this morning as a precaution and have made updates to the password reset process today so that it is now working properly," the company said.
"We are reaching out to a small number of users who may have been impacted to assist as necessary."
After word of the vulnerability surfaced, security researchers criticised Skype for its insecure procedures. Rik Ferguson, director of security research and communication for Trend Micro, noted that protecting against the flaw as it stood was impractical for many users.
"Before the access to reset passwords was disabled, the only way to protect yourself was to register an entirely separate and secret email address for use with your Skype account," Ferguson wrote.
"This is not only security by obscurity, it could theoretically leave you more open to attacks as you are less likely to investigate regularly the inbox of such little-used addresses."