Skype had a security flaw that allowed hackers to access and control accounts with only the help of an email address.
The Next Web learned of the security hole and reproduced the attack to see if it worked. The Next Web writer Emil Protalinski used co-worker Josh Ong as a pretend target, where he created a new Skype account with Ong's email address and tied his own to it as well.
A couple of steps later, Protalinski was able to see both his new username with Ong's email address as well as Ong's original username. More importantly, he received the option to change the password to Ong's account.
From there, Protalinski changed the password and locked Ong out of his account. He couldn't log back in until given the password by Protalinski.
"The reason this works is simple, but it’s still worrying," wrote Protalinski. "When you use an existing email address to sign up with Skype again, the service emails you a reminder of your username, which is okay, since no one else should have access to your email. Unfortunately, because this method enables you to get a password reset token sent to the Skype app itself, this allows a third party to redeem it and claim ownership of your original username and thus account."
The Next Web contacted Microsoft, which owns Skype, about the vulnerability. Microsoft responded saying that it was conducting an internal investigation. Later, it plugged the security hole and said only a "small number of users" had been affected.
Here is Microsoft's statement to The Next Web:
Early this morning we were notified of user concerns surrounding the security of the password reset feature on our website. This issue affected some users where multiple Skype accounts were registered to the same email address. We suspended the password reset feature temporarily this morning as a precaution and have made updates to the password reset process today so that it is now working properly.
We are reaching out to a small number of users who may have been impacted to assist as necessary. Skype is committed to providing a safe and secure communications experience to our users and we apologize for the inconvenience.