Skype is making news again. In October, a trojan was burning a path through Skype users. Now, a new security issue has surfaced that allows attackers to change a user’s password in just five steps with the victim’s account name and email address. Details about the security flaw were actually posted on a Russian hacker site months ago, but increasing use of the hack only recently attracted the attention of the Skype team at Microsoft.
Microsoft responded by disabling the ability to reset passwords in Skype. Leonas Sendrauskas, a Web Quality Assurance Engineer issued a statement on behalf of Skype,
“We have had reports of a new security vulnerability issue. As a precautionary step we have temporarily disabled password reset as we continue to investigate the issue further. We apologize for the inconvenience but user experience and safety is our first priority.”
Since the issue gained attention, Microsoft reacted quickly and has resolved the issue. The company also indicated they are reaching out to users impacted by the issue, but did not reveal the total number of users that were effected.
This week’s breach is just the latest in a series of small problems that have occurred since Microsoft acquired the popular software last year for $8.5 billion in spite of protests by many users. Since that time there have been multiple outages and small security bugs. Microsoft also recently released a major user interface update that brings Skype more inline with the look and feel of Windows 8.
Although this breach only impacted the Skype client, it should raise the eyebrows of enterprise IT leaders. Free tools like Skype that were designed for consumer use are making their way into businesses and are increasingly being targeted by attackers as an easy way to breach enterprise security defenses. Users should be especially careful about revealing details like email and credentials – especially on work machines.