Skype Disables Password Resets After Huge Security Hole Discovered

another random user writes with news of a vulnerability in the Skype password reset tool "All you need to do is register a new account using that email address, and even though that address is already used (and the registration process does tell you this) you can still complete the new account process and then sign in using that account Info (original post in Russian)" concealment adds a link to another article with an update that Skype disabled the password reset page as a temporary fix.

I don't entirely buy this...

[dalias]

I have multiple skype accounts created on the same email address (for different people, however) and it does not allow one to login as the other. It's possible to password-reset any of them independently.

Re:Defective Microsoft

[Kiuas]

To be fair I expect this hole existed when they brought Skype

That doesn't seem likely. In fact, I think this is a side effect of Microsoft preparing to integrate the 100 million msn messenger users into Skype. Somebody has been trying to ensure that the accounts will overlap nicely and has obviously made a huge mistake which allows this to happen.

Xbox Live

[asavage]

Microsoft also has issues with Xbox Live although not close to as bad. Some guy when he bought Xbox Live Gold accidentally entered my email address which has linked his 5 year account to my email. Last weekend I bought a game on steam which requires Games for Windows Marketplace. Since I had to have an account to play the game I entered my email and it said I already had an account so I did a password reset. This other guy has now lost his Xbox Live Gold account with 7 months left already paid for and support doesn't seem to know how to fix it. Also I now have a stupid gamertag which apparently I can't change without an Xbox.

This doesn't compare to the skype hole but there should be no way to link an account to an unverified email address.