
Prior to Skype's emergency move to block password resets Wednesday, there were signs that Skype's security flaws were indeed being used to steal users' accounts: Kaspersky Labs researcher Costin Raiu points to Russian opposition leader Alexey Navalny, whose account was apparently compromised with the technique Wednesday. "However had Skype fixed the issue I reported, the second one (today's) probably wouldn't be possible to exploit." "These are two separate issues (what I reported and what these guys exposed today)," Chestnykh wrote to me in an email. But if Skype had listened, it could have prevented the email registration vulnerability that led to its more critical issue. To be clear, Chestnykh's warning to Skype's customer support staff-likely one they'd received repeatedly-didn't include that it was possible to reset the password for another account just by registering a new one to that user's email address. Skype staff: Please understand that all of us here at Skype take our customers' privacy and confidentiality very seriously So, basically, anyone can create an account for any email. And then you also send other emails with offers to the same account. Skype staff: We send a welcome email to the registered email address whenever a new account is set up using that email.Ĭhestnykh: OK, that's what I received. After being told that "Skype takes security and privacy seriously," he was transferred to another support department, where he laid out the problem in this chat transcript he sent to me:Ĭhestnykh: Could you tell me if email accounts that are registered with Skype are being verified by sending a message to them? If so, maybe there's bug in your system? After being surprised by a new "welcome" email from Skype, he contacted Skype's customer support to point out the problem.

A Montenegro-based coder and startup founder named Dmitry Chestnykh noticed the first of these two flaws in early August, when someone set up a new Skype account and used his email address, likely by accident.
