Want CNET to notify you of price drops and the latest stories?

Skype disables password resets due to e-mail security flaw

The VoIP provider has removed its password reset page to deal with a security hole that lets someone take control of another person's account.

Lance Whitney Contributing Writer
Lance Whitney is a freelance technology writer and trainer and a former IT professional. He's written for Time, CNET, PCMag, and several other publications. He's the author of two tech books--one on Windows and another on LinkedIn.
Lance Whitney
2 min read

Update, 10:25 a.m. PT: Skype has since resolved the security issue and reinstated the password reset page.

Skype is investigating a security problem that allows someone to take over a user's account by resetting the account password.

The VoIP service provider best known for video calls confirmed in its blog today that it has taken down its password reset page as it probes the issue:

We have had reports of a new security vulnerability issue. As a precautionary step we have temporarily disabled password reset as we continue to investigate the issue further. We apologize for the inconvenience but user experience and safety is our first priority.

The problem was first documented on a Russian forum two months ago, according to blog site TG Daily. The people who uncovered the flaw reportedly told Skype about it, but the company apparently failed to address the matter until now.

The flaw itself isn't that difficult to exploit.

A person merely has to create a new Skype account using the same e-mail address as that of the intended victim. That person can then reset the password for all accounts associated with that e-mail address, thereby locking out the original account owner from Skype.

The Next Web tested the process on some of its own staff members (with their knowledge) and was successfully able to change their Skype passwords and lock them out of their accounts.

Disabling the password reset page should deter any hackers from taking advantage of the exploit until Skype actually fixes the issue.

Those of you still concerned about the vulnerability can change your associated Skype e-mail address to something less public as a safeguard.

To change your associated e-mail address, log into your Skype account. Under account details, click on the profile link. Scroll down to the contact details section and click on the link to add e-mail address. Add a different e-mail address -- one you don't commonly use. Click on the save button to save your changes. Scroll to the bottom of the section and click on the edit button. Scroll back up to view your e-mail addresses. Set your new address as the primary one and then click on save again.

Update, 6:20 a.m. PT: Adds response from Skype.