Skype users warned of accounts that can be hijacked with ease

[Arch_Angel]

A serious security problem has been uncovered in Skype, which allows hackers to hijack accounts just by knowing users' email addresses.

The Next Web describes how it managed to reproduce the attack, accessing the Skype accounts of staff by just knowing their email address, and then changing the passwords of their "victims" to lock them out.

According to The Next Web:

"The reason this works is simple, but it's still worrying. When you use an existing email address to sign up with Skype again, the service emails you a reminder of your username, which is okay, since no one else should have access to your email. Unfortunately, because this method enables you to get a password reset token sent to the Skype app itself, this allows a third party to redeem it and claim ownership of your original username and thus account."

The issue was reportedly documented on Russian forums months ago, and appears to have been easy to exploit.

Read more: http://nakedsecurity.sophos.com/2012...curity-hijack/
The Next Web article on it: http://thenextweb.com/microsoft/2012...email-address/

[King_Jay16]

A number of hours after The Next Web revealed a flaw in the way Skype handled password resets, allowing third-parties to hijack accounts using just an email address, Skype has said that it has now fixed the issue. The company has confirmed it first mitigated the issue, but has now updated its password reset process so that it doesn’t send tokens to the client. We have confirmed ourselves that this flaw has been fixed.

http://thenextweb.com/microsoft/2012...sers-affected/

[Dre']

issue fixed
http://heartbeat.skype.com/2012/11/security_issue.html

and also a 24 hours free call being offered but the server are hammered
http://www.skype.com/intl/en-us/pric...ld?cm_mmc=AFCJ