November 14, 2012 - 16:44 AMT
PanARMENIAN.Net - Skype has disabled password resets, in response to a security vulnerability that allows accounts to be hijacked with only the user's email address, TG Daily reports.
Almost unbelievably, it's possible for a hacker to sign up to Skype for a new account using the same email address as the target. The hacker can then reset the password, not just for that account, but for all accounts with that email address.
While the genuine user would see what was happening if they were signed in to Skype at the time, they'd need to act quickly to stop the hijack.
The vulnerability was first uncovered by a team of Russian hackers - several months ago - and posted on the Xeksec site. It has since been verified by The Next Web.
Microsoft-owned Skype's promised to look into the flaw, and has in the meantime taken action to stop anyone exploiting it.
"We have had reports of a new security vulnerability issue. As a precautionary step we have temporarily disabled password reset as we continue to investigate the issue further," says the company. "We apologize for the inconvenience, but user experience and safety is our first priority."
The Russian hackers who discovered the exploit say they warned Skype some time ago, but the company took no action. It's not the first time that Skype's been accused of dragging its heels over a security fix, most notably when it took 18 months to repair a hole that revealed users' IP addresses and other data earlier this year.