Multiple people are posting about a very trivial “vulnerability” in Skype that allows you to take over anyone’s Skype account if you just know their email address. For some reason, when you go to reset a password for your own account or a dummy account you create, if you put in the victim’s email address for the password reset (assuming you already set your own email address for your own or dummy account), you can take over their account.

From there, you can see their chat and call history and everything else. There is apparently no known defense except to change your email address to something that is relatively unknown, like create a new gmail account or something. Might want to change your account password after that.

Step-by-step instructions here.

This is massive fail on the part of Skype, which is used by loads of people globally.

Update: Skype has disabled that password reset feature.

Advertisements