Wow, looks like Skype really messed-up with this one, but they responded really quickly to fix it… only 2 months after it went public! You can read more at this link…
Skype vulnerability allowing hijacking of any account if you know just the email address. (self.netsec)
submitted 10 hours ago by turisto
Here’s the original link where I’ve read about this (in Russian) – http://habrahabr.ru/post/158545/
with multiple people in the comments confirming it works and also reporting their accounts were stolen.
Here’s how it works:
Sign up for a new Skype account. Use the victim’s email. A warning will come up that an account with that email already exists, but you can still proceed with filling out the form and account creation.
Log in to the Skype client with your new account.
https://login.skype.com/account/password-reset-request – request a password reset using the victim’s email.
You will get a password reset notification and token in your skype client. Follow the link to pick the victim’s account and reset the password.
It appears the only way to safeguard yourself for now is to change your main Skype account email to one that’s not publicly known.
Howto avoid hijacking:
log in on skype.com (if you still can, that is)
go to the profile, click Edit and add an email address an attacker won’t guess. (Or firstname.lastname@example.org if you’re using Gmail)
click Edit again, set the new address as Primary
click Save, have a laugh at the message, enter the password and click the Enter button or it won’t work (like one bug was not enough)
delete the old email
Unfortunately for Skype, their problems keep piling up. Apparently names under 3 characters are not valid: http://i.imgur.com/6yQqW.jpg, and this field is necessary for you to add a new email address (it was previously blank for me).
Way to alienate all those users with short asian last names…