Despite Microsoft having been warned of the issue, for more than two months Skype has been vulnerable to a bug that enabled attackers to easily hijack any user’s Skype account.
Details of the vulnerability were first published in August on an online Russian-language hacking forum. Tuesday, the same Russian hacking forum user posted an update, reporting that the flaw still hadn’t been fixed.
That finally led Skype Wednesday to acknowledge the security vulnerability and begin working on a fix. “Early this morning we were notified of user concerns surrounding the security of the password reset feature on our website. This issue affected some users where multiple Skype accounts were registered to the same email address,” wrote Skype Web quality assurance engineer Leonas Sendrauskas in a blog post. “We suspended the password reset feature temporarily this morning as a precaution and have made updates to the password reset process today so that it is now working properly. We are reaching out to a small number of users who may have been impacted to assist as necessary. Skype is committed to providing a safe and secure communications experience to our users and we apologize for the inconvenience.”