A serious vulnerability in Skype has come to light. This vulnerability allowed you to take over the Skype account of any other user, armed only with knowledge of their e-mail address.
Proof of concept for the issue was posted in a Russian forum about three months ago and the original poster posted again on a different site just yesterday that the vulnerability was still not fixed. The author also notes that abuse of the vulnerability has been widespread, affecting many users from his own contact list.
In essence the procedure is so simple it could be carried out by even the most inexperienced of computer users. All that was necessary was to create a new Skype ID, and associate it with the email address of your victim. Once this procedure is complete, a flaw in the password reset procedure allowed the attacker to assume control over the victim account by using the online password reset form. This would lock the victim out of their Skype account and allow the hacker to receive and respond to all messages destined for that victim until further notice. I tested the vulnerability and the entire process took only a matter of minutes.
The issue has been reported to Microsoft (who acquired Skype last year) and as a precautionary measure they have simply removed the online password reset page while the underlying flaw is investigated.
Before the access to reset passwords was disabled, the only way to protect yourself was to register an entirely separate and secret e-mail address for use with your Skype account. This is not only security by obscurity, it could theoretically leave you more open to attacks as you are less likely to investigate regularly the inbox of such little-used addresses.
Moral of the story? Even information which you are used to handing out to anyone can be used against you, there is no such thing as too much privacy.
Image Credit: dingler1109 Flickr used under Creative Commons.