Any Skype account can be hijacked with just an email address, Microsoft already on the case

File this under pretty damn serious: Russian hackers have found a way to access any Skype account and take full control using just an email address, and the methods used were confirmed to be still working by The Next Web when they tested the exploit for themselves. The method in question can lead to the hijacker changing the password on a Skype account which has been accessed, and then the original owner would no longer have control.

For the moment, Skype has disabled password resets, which was one of the major steps to full control of a hijacked account. If you are paranoid about your account anyway, you can follow these steps to change your email address:

  • Go to skype.com and log in
  • Go to your profile and add a new email address that a hacker wouldn't be able to guess
  • Click Save, then click Edit again and set the address as Primary
  • Click Save, enter your password, click (specifically) the Enter button
  • Delete your old email address from Skype

One of the big issues with this security flaw is that Skype stores full conversation histories in the cloud, so a person with malicious intent could hijack an account to look through private and personal conversations. It appears as though the hacking method is being addressed as we type, with Microsoft releasing the following statement (via The Verge):

We have had reports of a new security vulnerability issue. As a precautionary step we have temporarily disabled password reset as we continue to investigate the issue further. We apologize for the inconvenience but user experience and safety is our first priority

Expect a full statement on the cause of the issue sometime soon.

Source: The Next Web

Report a problem with article
Previous Story

HTC Windows Phone 8X unboxing

Next Story

Former Windows Phone chief has a new role at Microsoft

19 Comments

Commenting is disabled on this article.

Billa said,
They've just disable the option so the security hole is no more.

No, they've disabled password resetting - the vulnerability to gain access to someone's account is still present, you just won't be able to change their email address

"One of the big issues with this security flaw is that Skype stores full conversation histories in the cloud"
!? I didn't know they did that.

n_K said,
"One of the big issues with this security flaw is that Skype stores full conversation histories in the cloud"
!? I didn't know they did that.

Yeah, I'm quite surprised by that too!!! ...I just assumed conversations were stored locally, not in the "cloud" as well!

n_K said,
"One of the big issues with this security flaw is that Skype stores full conversation histories in the cloud"
!? I didn't know they did that.

I think it's misunderstanding on how (or where from) Skype actually pulls the conversation history. It does so when you login to Skype from more than one place, then Skype clients exchange conversation history between those places.

n_K said,
"One of the big issues with this security flaw is that Skype stores full conversation histories in the cloud"
!? I didn't know they did that.

If they were stored in the cloud, skype metro app and other skype bridged clients could pick up. i don't think so...

n_K said,
"One of the big issues with this security flaw is that Skype stores full conversation histories in the cloud"
!? I didn't know they did that.

They been stored in cloud for ages, way before Microsoft took it over, that's how they show up on your phone when you logout on your PC/Mac and login on your phone.

I can say, i'm an advanced windows user and yet i didn't know this too.
I also thought it was stored locally and not in the cloud!
Boy, this sure tells something about how transparent some services should become!

n_K said,
"One of the big issues with this security flaw is that Skype stores full conversation histories in the cloud"
!? I didn't know they did that.

how could u not know that? ive got skype installed on 4 different devices here, where the hell did u think it was storing it all? they all have to sync up from somewhere,, and its been like this for years and years esp if ur on a portable device or say u login from someone elses house, how else did u think the data got there?

DKAngel said,

how could u not know that? ive got skype installed on 4 different devices here, where the hell did u think it was storing it all? they all have to sync up from somewhere,, and its been like this for years and years esp if ur on a portable device or say u login from someone elses house, how else did u think the data got there?


Like I said, it pulls history from other devices/PC's that are online at the moment.

x.iso said,

Like I said, it pulls history from other devices/PC's that are online at the moment.
i'd think so too. when i install skype, it doesn't sync my history. that's why i always back up the skype folder in %appdata%.. i wish it was in the cloud though!

Sas Center said,
i'd think so too. when i install skype, it doesn't sync my history. that's why i always back up the skype folder in %appdata%.. i wish it was in the cloud though!

Exactly. Without it's folder will not have any conversation.

dvb2000 said,
This is even more critical now that you can log onto skype with Microsoft logon id's!

but you can't use skype ID as Microsoft ID, so this exploit doesn't really extend that far.

dvb2000 said,
This is even more critical now that you can log onto skype with Microsoft logon id's!

Microsoft ID and Skype ID are 2 totally different services. Skype is just an addon for your Microsoft ID which enables you to check conversations etc...

Kenny Kanashimi Chu said,

Microsoft ID and Skype ID are 2 totally different services. Skype is just an addon for your Microsoft ID which enables you to check conversations etc...


it's the opposite, Microsoft ID is optional for Skype, not the other way around.