Hacker News new | comments | show | ask | jobs | submit login
Skype vulnerability allowing hijacking of an account if you know just the email (pixus-ru.blogspot.ru)
362 points by jtraub on Nov 14, 2012 | hide | past | web | favorite | 119 comments

OP at http://habrahabr.ru/post/158545/ (russian) says that he reported this vulnerability about 3 month ago. The lack of any reaction is unbelievable.

Hint: you can change your email to something like user+skype@gmail.com to avoid registration of new email address.

Even now Skype reaction is unbelievable. They are "investigating the issue" for almost 2 hours.

Stop saying "Skype", use "Microsoft" instead, and it's not unbelievable at all.

Except that Microsoft has a pretty stellar reputation when it comes to security procedures. They're well known as being among the best in the industry.

Well, they've certainly cleaned up their act, but I definitely wouldn't say that they're known to be among the best in the industry.. I remember just a few year ago, you could get to ring0 in Windows and install a rootkit just via the registry.. Let's not forget all the hotmail vulnerabilities similar to this that have been active for an indeterminate amount of time..

A few years is an enormous period of time especially when it comes to tech and infosec.

No they don't. They have a reputation for taking months to respond to security issues, responding with "yeah whatever, we'll look into it" and then doing nothing for months, leaving software vulnerable to known exploits because "its not patch day yet", and similar bullshit.

Given what I've heard of Skype-as-Microsof-Skype, it would be inaccurate to act like Skype has been assimilated or would have much if any overlap with the people handling Windows vulnerabilities.

Damn, it takes 2 minutes to "investigate the issue" if you simply follow the steps.

But probably a little longer to find a fix, test it and release it...

Not really, no. Just stop the reset token from appearing in the client. Just send it by email like you're supposed to and that's it, vulnerability gone.

Yeah, but pushing a client fix takes time. They'll need an excuse in the meantime.

It's not a client-side fix. Just stop the server from sending the token/link to the clients. Sure, that might degrade the client experience a bit(assuming that the client isn't just displaying a webview in which case no degradation would occur) but it would fix the problem for now.

Later on you can take your time rolling out a client fix if it's required, but a hotfix server-side is entirely possible, there's no excuse keeping this vulnerability possible when it's been made this public(step by step instructions to hack someone's account, with screenshots!) especially since you were contacted privately about it ~3 months ago.

Right. There's one developer at Skype who can just do that and push it to production, without talking to anyone else, or getting approval from anyone else.

Be realistic. If two people need to talk about it, it's going to take longer than 2 minutes.

Longer than two minutes, definitely! More than 2 hours to investigate and fix? very doubtful. 3 months? That's a bit much...

I see your not familiar with the nature of code deployments and everything that has to happen beforehand. ;)

The two hours were most likely spent on office politics as opposed to fixing the problem. I'm surprised it wasn't > 5 hours to be honest.

Given your description I'm sure I'm lucky I'm not familiar with that. I've never worked at any place that has > 40 employees. If I can manage, I hope never to have to.

Yeah, there's no doubt it sucks but so can working for smaller organisations. It's all about the people your working with. The bigger the company, the more deadwood you likely have to work with.

You don't push the fix to the client. They have some notification system ou there that is sending the messages to the client. They just need to stop it from sending these kind of messages. Obviously I can't say how much work is involved in that - but they don't need to push an updated client.

I think they can just temporarily turn off password reset to prevent account stealing. After that they can take their time to fix the problem, test it and roll out to the public.

Block password reset. It is as simple as that.

They have just done that.

yes, better to keep 0day working, and roll out fixes with the next release.

something like +fi92is82ls8223 is probably better, i.e. something not predictable / guessable.

Microsoft reports they have disabled password resets during the investigation: http://heartbeat.skype.com/2012/11/security_issue.html

That text was replaced, here is the old text:

    We have had reports of a new security vulnerability issue. As a precautionary
    step we have temporarily disabled password reset as we continue to investigate
    the issue further. We apologize for the inconvenience but user experience and
    safety is our first priority

It's even worse! Their website is so broken you can't change your password (new password fields are disabled) and you can't set a new email address as primary (the "make primary" button only appears when the new email address field is empty). Also, if you first add a new email address, save, then set it to primary, it disappears. Wtf.

I see no recourse other than closing my account, if that's still possible. [edit] No, not even that is possible.

I'm having the exactly same problem, and I can't believe they're doing it. They won't even let us protect ourselves. Could they botch worse than that?

I guess it was done to prevent account stealing while Microsoft works on appropriate fix

This appears to be a bug.

After adding the email address and clicking save, logging out, and logging in, I found the email address was successfully added. At this point I could change it to the primary one, click save, paste my password, and click the button on the password prompt to successfully change my primary email address. If I tried to add the email and make it primary in one session, it would not work. If I entered my password and hit enter, it would not work.

Doesn't work for me - I can add a new email address, but when I sign out and back in it's vanished. Feels like they might have disabled parts of the account management system.

The site is very buggy indeed. But it is possible to change the primary email adress if, when you are prompted to retype your password, you "type password and click button by mouse, not by "Enter" key" (as the post says). Maybe that would work for you...

Never use enter to complete forms, use the mouse. That works for me.

On top of that a lot of people have their Skype accounts integrated with facebook having their one and only email accounts published over there.

And when you try to change your password:

Character not recognized. Please choose a mix of letters and numbers.


Skype reports this has been resolved: http://heartbeat.skype.com/2012/11/security_issue.html

    Early this morning we were notified of user concerns surrounding the security
    of the password reset feature on our website. This issue affected some users
    where multiple Skype accounts were registered to the same email address. We
    suspended the password reset feature temporarily this morning as a precaution
    and have made updates to the password reset process today so that it is now
    working properly. We are reaching out to a small number of users who may
    have been impacted to assist as necessary. Skype is committed to providing a
    safe and secure communications experience to our users and we apologize
    for the inconvenience.

Good to hear they fixed it but it was responsibly disclosed a month ago and Skype did nothing whatsoever. We really need a better way to hold a company accountable for appropriately reacting to proven security threats without requiring a public disclosure.

I confirm. Just tested on Win7, Skype

The notification about the password reset token does appear in the Skype client, but no reset code is shown at first. Then I've pressed Ctrl+F5 on the home screen, skipped the Facebook thing, and here they are!


On OSX doesn't work, though. The password token notification doesn't come.

also it seems the password reset link, is not working for me.

MS is fixing the problem right now. They turned off password recovery form few minutes ago.

By the way, Skype's registration page has inexplicable password rules.

aaaaa1 - strength: medium

aaaaa12345 - strength: poor

=aStu!et$aQ@212345 - strength: poor

Yeah, at my last job, someone implemented a password strength checking feature that would actually reject stronger passwords. It required:

1. At least 3 out of the 4 categories uppercase, lowercase, digit, special character

2. No character could be repeated more than two times

3. No sequence of 3 or more increasing or decreasing letters or numbers could be present (and not even consecutive: "ta/Tbs#cz" would be rejected because it contains "abc").

4. No English words or names could be present.

5. It must be at least 8 characters

There may have been other restrictions too, I don't recall the exact details.

This meant that perfectly reasonable passphrases (like "correct horse battery staple") would be rejected. Even if you tried to come up with a good password that met the rule, you might fail by accident because "89cRbcThe*)" has the word "The" in it. You would generally have to come up with a password, then whittle it down slowly until you passed all of the rules, usually making it weaker in the process.

They must have really dedicated customers. That, or their users are required to use their system under the pain of multi-year imprisonment. I see no other way why would anyone agree to suffer through this.

So... were ANY passwords created? I could see the success rate on this at like 1%.

You can't even delete your Skype account if you want to. You can only change some of the information:


If you contact support you can set the account as deleted. So that screenname becomes unavailable (or at least that is what they told me when I did it).

I think as a precaution, you can change your Gmail address, using the + operator. In case you didn't know, you can receive emails sent to yourusername+anystring@gmail.com

In August I received an email from Skype thanking me for registering an account. But I already had an account, I didn't register this one. After comparing the new account name with part of my email, I came to the conclusion that someone mistyped their email address, and registered an account on my address. I contacted their live support, here's the conversation:

    George A: Hello! Welcome to Skype Live Support! My name is George. How
    may I help you?

    me: Recently I have received an email welcoming me to Skype (not
    phishing, I verified). The problem is that I didn't create the account
    mentioned in the email. The account name was "[NEW SKYPE ACCOUNT]" and
    my email is [MY EMAIL 1], so I think that user mistyped his email
    address, and then Skype sent a welcome message to me. Doesn't skype
    verifies email addresses before sending a welcome message?

    George A: I understand that you are concerned about your email address
    being used to setup a Skype account, I'll be happy to help you with
    that.  May I please have your Skype Name?


    George A: I would also need the email address, please.

    me: [MY EMAIL 1]. let me check that this address in on my Skype
    account... ok, my email on file in Skype is [MY EMAIL 2].  and a few
    other too, all mine :)

    George A: Well, I see that there is only Skype Name registered under
    that email address, the Skype Name is [NEW SKYPE ACCOUNT]

    me: Yes, for my account ([MY SKYPE ACCOUNT]) the primary email is [MY
    EMAIL 2], but other emails on profile are [MY EMAIL 1], [MY EMAIL 2],
    [MY EMAIL 3].

    George A: May I please ask you to confirm which Skype Name that you do
    not authorize?

    me: Does Skype sends verification message before assigning the email
    to account? The Skype name which I didn't create is [NEW SKYPE

    George A: May I also have the email address that was used?

    me: [MY EMAIL 1]

    George A: Well, I would need to send you a confirmation to that email
    address. I would kindle need you to reply back to that email.

    me: Please do

    George A: Then, we will be able to delete that Skype Name for you.

    me: thank you

    George A: You are most welcomed, please expect me email within 10
    minutes.  Is there anything else I can help you with today?

    me: Could you tell me if email accounts that are registered with Skype
    are being verified by sending a message to them? If so, maybe there's
    bug in your system?

    George A: We send a welcome email to the registered email address
    whenever a new account is set up using that email.

    me: OK, that's what I received. And then you also send other emails
    with offers to the same account. So, basically, anyone can create an
    account for any email. Why don't you verify emails?

    George A: Please understand that all of us here at Skype take our
    customers' privacy and confidentiality very seriously

    me: OK. Thank you.

    George A: You are most welcomed. It's been a pleasure speaking with
    you today. Thank you for contacting Skype Live Support, have a great
    day. We value your feedback. Please be aware that we will ask you a
    few questions after closing the chat window about your experience with
    us today.  Once you are ready please click on the "Exit" button.

    me: I suggest adding a link to Welcome email that says "I didn't
    create this account". Bye!

Realizing that there's nothing this support person can do about this, I sent email to their "security" people. I received no reply.

And now this failure to verify emails leads to the linked vulnerability. Nice.

For reporters: what I wrote about is a different issue from today's vulnerability! However, if Skype verified emails, as I suggested, today's hack wouldn't be possible. (At least, today, I don't know whether guys discovered vulnerability earlier than I wrote to Skype support).

http://www.h-online.com/security/news/item/Skype-investigati... claims that I discovered today's vulnerability, but I didn't. I discovered, by accident, that Skype doesn't verify email addresses (in fact, they still don't, even after fixing vulnerability); I don't even think that I'm the first person to do it.

Edit: I also didn't write the linked blog post, it was someone else.

The same is, or was at least, true of xbox live - someone registered using my email, and there's obviously no account confirmation, as the account is live and I receive email notifications etc, but I can't get into it or remove it, since I don't know the password. I wonder how many other sites do this to avoid friction on sign up?

Happened to me too. I have no way to tell them that I am indeed not xXx_Rastafarian_xXx .

You're going to end up on some federal agency list for being a suspected pothead ;)

Fortunately even our fear of drugs isn't that insane.

sony network is the same. i have a throwaway gmail address which was used to sign up for the sony network an various games. at first i replied to any email that i didn't sign up for this, then i contacted sony network customer service, they said something marketing, i decided to not care. now every email from sony gets a direct way to the spam folder.

While I admit it's stupid they don't verify new user's email addresses, it doesn't look like doing so would even prevent this recent attack. If I understand the attack correctly, the only way to prevent your account being taken is to change you email address to something unknown. In effect using the uniqueness of your email address as a 2nd password.

This attack it truly horrendous and its disclosure will most likely reverberate for a while.

The first step of this attack is to create another account for the email address controlled by a victim. If Skype sent verification email to this address asking the victim to click a link to confirm creation of the new account, this first step wouldn't work.

Turing test failure, or highly trained human? I'm not sure.

Encountering tech support people that would fail a Turing test is not nearly as rare as one would want it to be.

I suspect the support person may have been partly typing his responses and partly pasting prefab support snippets. Not sure though.

Incidentally, I've had someone (judging from the last name I get to see in the email, a Chinese person) use one of my email addresses to register a WoW account. You don't actually need to verify the email address, so they don't need access.

What's interesting is after spending 30min or so clicking around Blizzard's site there is no way to actually contact support without having an account. You also can't claim the account, because you need a first and last name along with the email address, and I only have one of their names.

In the end I just left it, it was an old account and there is no evidence that they had real access, and as it was a legacy account I'd securified it anyway (creating a massive 32character random password and storing it in a password manager, just to close off any loose ends).

As usual, making this public and widely broadcasted will probably encourage them to finally listen to you :)

Netflix has a similar problem - http://blog.hardikr.com/tech/netflix-email-fail/

After successfully exploited this on my own account, tried again with my SO's account and https://login.skype.com/account/password-reset-request has been blocked. Pretty good emergency reaction.

It should be noted that after my account password is changed, I tried to login with the old password, the Windows Skype app told me the username and password combination is wrong but it still let me logged in. This may be a different bug in caching?

Hope we can get a postmortem report out of this...

It only works if the account had a credit card on file and/or made purchases in the past. Unless you know the credit card number or the purchase ticket number, this link isn't much help.

Can't believe Skype has been ignoring this issue up until in got to the top of Hacker News and HabraHabr.

I think it's a good practice to always use unique, unpredictable email addresses when signing for online services.

1. Most people use the same or similar password, so once one account gets hacked, the attacker is probably able to use many other accounts on different services with the same email address/password combo.

2. It's easier to spot services that spam, or that leak your email address (I became aware of a leak of email addresses on Box... luckily it was only emails that got leaked, at least according to Box support).

3. It's easier to block spam, once a service misbehaves or gives away the email.

I wrote a little more about using it as a "passwordless password manager" at http://blog.gingerlime.com/2011/passwordless-password-manage...

update: (if blog post is too long...) this does not mean setting up hundreds of different email accounts. On most services like hotmail, google and yahoo you can simply append some unique string to your email address, e.g. john+f820938422@gmail.com. Making this unpredictable is important however, so appending +facebook and +twitter is not helping much though...

Are you suggesting to have a different email address for every online service we use? Today I manage about 100 different unique passwords for every online service. This is already very inconvenient. Adding as well as having different bogus email addresses would be at least 2 times more difficult!

I think something is really broken in today's web authentication scheme. I think there is really huge need for some independent and reliable service (Mozilla's Personas maybe).

While I don't necessarily agree with your parent's post, there's a relatively simple solution here. If you're using gmail, you can use the + operator to automatically tag emails. Here, it serves an alternative purpose.

For example, if my email is daniel@gmail.com, then I would use daniel+hn@gmail.com when signing up for Hacker News.

Skipping over the fact that most email providers don't necessarily support this, and that not all websites/services will allow it (not saying they are right not to), this creates a whole new set of things to remember as even something as simple as +hn (which is surely simple enough that anyone could guess it) could be tougher on other sites, e.g. is Reddit +rd, +re, or...?

To carry this idea further, the +descriptor email trick has backfired on me before. Sometimes sites require an email login and it takes me several tries to even remember what my +descriptor was.

Sometimes, I don't actually remember and just end up going to my inbox to find an email from the site so I can look up what I used.

Another time, this backfired on me when I purchased concert tickets using a +descriptor email and couldn't login. The purchase form and login form had different validation rules, so the purchase form accepted my +descriptor email and charged me for it. The login form rejected my +descriptor email and I was rushing to contact customer service to print my ticket in time.

I do it, and have done it for a pretty long time. In the vast majority of cases, it's (almost) in the form of sitename@myemailaccount.com - which is usually pretty easy to remember.

If someone was directly targeting me, and had my email address from another site, they could probably figure out what I'd used elsewhere. But if it's just a script running through email addresses harvested from site A, then mine will almost always be irrelevant on site B.

The main reason I use it though is that it's a great way to figure out where spam is coming from. Last week for instance I got a "male enhancement" spam from an email address I've only ever given to scan.co.uk. That addres is now on my block list and I doubt I'll be buying through them again.

Nice way to find where spam comes from.

Sadly this is at best a complicated workaround, that will will work for people that are motivated enough to remember for each different service a separate email and password and additionally to this you have to remember as well the credentials to manage your email address and check the emails from different sites.

In my case it would mean having about 100 email addresses.

You actually don't need separate emails for this. You can use (name+tag@provider.com, Gmail supports it and others too I'm sure). Or you can use your own domain (Google Apps makes this really trivial) and have the part before @ be the sitename (that's what OP suggests) and then have catch-all address. You might receive slightly more spam if you turn on catch-all, but I have a setup like this a it works.

I suspect my total is way above 100. But you don't actually need to remember anything really. The @mydomain.com stays static and the email is basically the name of the site.

I use unique and secure passwords for all online services, https://agilebits.com/onepassword makes it really simple.

I don't really see the need for passwords anymore. Mozilla's Personas looks good for the web.

With the rise of mobile apps though, we introduce more usernames and password daily.

Believe there is an easier way to handle user authorisation and here is a post about it. https://gist.github.com/4052818

http://www.keepassx.org/ is a free and open-source password manager. It makes using almost infinite numbers of accounts easy to use. If you use secure passwords they are like not possible to remember anyways.

I moved from PC Applications for Password usage to use passdroid on the phone. Like this I have the passwords always in my pocket.

Thanks to the power of free open-source software there is keepassdroid of course. ;)

I think it's possible to flip the order. Instead of managing 100 passwords for each account, manage 100 emails and ONE password for all accounts. Make sure your password is really strong, and you should be better-off than managing those 100 passwords, which require a secure password manager.

Of course it's better to have a real password manager, but for most people, who don't or can't be bothered setting this up, this would be a huge step forward since they anyway use the same email and the same password everywhere.

And then one of the accounts' password is stored in plaintext and the database is leaked with the mail addresses and everyone can easily log in as you at 100 services.

Never, ever, re-used passwords for anything you value.

Except, as the comment you responded to suggested, you would use a different email for each service.

did you actually read what I was saying on the blog post or the comment??

Most people re-use not only the password, but also their email. This is the worst combination.

If you use an unpredictable, unique email address, and use a secure password. Even if it leaks on one site, the attacker has no easy way to predict what your email address is going to be on any other site without having access to the list of email addresses.

Instead of remembering all those weird email names, what you could do is:

1) Buy domain and attach google apps to it.

2) Switch catch-all email setting in preferences.

3) When register for a service use email like skype@domain.com or facebook@domain.com etc.

And for sites that don't have insufficiently permissive email regex validators, if you have gmail you can just add a '+' and do youremail+skype@gmail.com, youremail+facebook@gmail.com, etc.

Yeah, you could do that as well. I just don't like the idea that someone holds my email address. After reading few stories where Google/Microsoft blocks access to email, I decided to move my email to custom domain. In case of any issues all I have to do is change MX names to new provider to start receiving my mails again.

You can do the +modifier trick with GApps as well.

Yes, but one of the great things about having GApps with your own domain name, is that you are not tied to Google as an email provider, and can easily switch. If you use something like the '+' modifier, then if you switch away you need to switch to someone that supports the same modifier.

So if your goal is to maintain email-provider independence, then relying on provider-specific features like the '+' modifier works against that goal.

For me though, the main reason I don't use it is most sites that I want to use it on reject the '+' in the address as invalid. It happens enough that I don't bother trying anymore.

So now you need a password manager to remember the email addresses instead of the password.

What problem are you solving?

The problem I was trying to solve is of many people who use the same password and email everywhere, and who won't use a password manager or feel it's too complicated to install or use etc.

The email addresses are not as sensitive as passwords. Sure. If someone gets hold of all of them AND your master password you're in trouble. But same goes to getting your password manager file and the password for it.

The difference is you don't need a password manager software. You can store this list anywhere which is reasonably safe.

Your scheme is no easier to implement than having a different password for each website. You have effectively moved part of the password out of the password and into the email address.

It is only easier in the sense of not having to install or use a password manager, and that the email addresses themselves are not as sensitive as the password.

As with everything security related, there is a trade-off. I'm not saying it's more secure, but it can be more convenient in certain circumstances and for certain people.

A password-manager is more secure (if the master password is and the manager software is safe). A unique email address + unique password with a password manager even more so. two-factor authentication even more... and so on...

It's just a question of options/priorities. This is still a valid option in my opinion which might work well for some people who don't want / can't use a password manager, but can handle a list of random email addresses...

what I do is intersperse the site name with my username at my domain e.g. for skype:


then I have a catch-all on the domain, and lower the priority of emails that aren't to my normal address, but any important emails get their own forwarder to forward into my main inbox, so I will get the emails on my mobile devices.

quite effective actually.

And they said I'm crazy to create an extra email address just for Skype back then..

Password recovery form was disabled and as of now the vulnerability can not be exploited. See announcement http://community.skype.com/t5/Security-Privacy-Trust-and/Pas...

Not quite as bad but it is also possible to get a user's IP address just by sending them a friend request. This has been known about and exploited for months, possibly over a year. It's meant that high profile users of Skype on sites like youtube or twitch.tv have to keep their skype private and/or connect to it specifically with a proxy to avoid getting DDOSed

Any idea the period of time this bug has been present? I remember the login process being inconsistent (especially among the iOS apps) when I signed up four years ago, but I attributed it to me just being unfamiliar with the service.

Yes. Wow yes. The interface is getting better, but its still awful. At least you can now return a missed call without going out the page, into contacts, and hunting the caller down. The OSX client is a whole other world of pain. FaceTime briefly looked like a promising replacement, but no.

I'm genuinely curious- what's keeping people on Skype? There are better alternatives out there now (Google+ Hangouts, for example). Will this push any of you Skype users over?

Tons of folks (think: grandmothers and parents and other potentially non-tech-savvy folks) have been using Skype to communicate with family members across the globe for many years. Simply expecting them to switch to Google Hangouts is a tall order.

I use Skype quite regularly. I'd much prefer to move to Google+ Hangouts but there are a few things that make using it more painful than Skype:

* More people that I'm in contact with have Skype installed vs. have Google Voice and Video installed

* I use Adium as my IM client as I find it easier to use than Google+ in browser chat. To avoid double notifications, I keep chat closed 'in browser', which adds friction when starting a hangout

* Skype makes the call much faster than Google+ hangouts. In hangouts, the call usually times out but if I leave the window open, the other party will eventually join

On the plus side:

* Google+ hangouts call quality is usually much better

* Skype can't do multi-user video

* I find the 'in call' Google+ hangouts interface much more intuitive.

Well, I'm not a big fan of Skype but I tend to use it for longer calls with family overseas (US<->Europe) because I experience quite significantly better video/audio quality. Few months back (it's fixed now I think) I even had freezing video every so often on Google Hangout.

Or screen sharing, it was completely unusable in Google Hangouts on Linux just 2 months back whereas Skype didn't have any issue and worked (surprisingly!) flawlessly.

I don't really perceive the network effect that much, everybody I have on Skype also has a Google account.

Hangouts are very different use case from Skype. Skype is a messaging platform, g-hangout is a teleconference platform. They have intersecting, but not identical uses.

In my experience, the people that want me to use them have that exactly backwards.

The audio quality of Skype is far superior to Hangouts.

The existing user base. When you communicate daily with a ton of customers using Skype, switching to something else seems a remote prospect at best.

We use Skype to call friends' mobile numbers in African countries, Ukraine, etc. Does Google+ allow that? (Note: not a Google+ user)

Because Skype always works. For example, most ISP in Russia still allow access to provider's network ever if internet connection is unpaid. Skype works, because somebody with internet who paid for it is gate for all unpaid users. Skype traffic is almost impossible to block except some hacks about detecting his autoupdate.

Works usually yes, but that isn't all a good service needs. I'd like to enjoy using it rather than getting Skype-rage. Interface, inability to block calls (from iOS at least), I'd better not start or I won't stop.

As far as I know, Google+ Hangouts doesn't let you call people.

Is there a way to actually just phone somebody with it, the phone on their computer rings, and they answer it?

Preferably with a standalone client, as I can't guarantee I'd remember to open and leave open a browser tab.

The company I work for uses it, ~150 Skype users. Works pretty well!

Because I don't want to sign up for Google+. I dislike the idea of bundling their social data mining solution with just about anything, like a less obvious and impossible to opt-out version of whatever-toolbar bundled with software years ago.

and you strangely believe microsoft isn't doing the same thing with skype's data?

They are way, way worse at it than Google. Which is good for me.

It looks like they've fixed it now. https://twitter.com/Skype

Forgot password no longer working, seems like they switched the function for now. Step in right direction.

Didn't work for me on the Mac version of the Skype client. Will retry on Win7.

Nice work MicroSoft.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact