June 14, 2021

Skype moves quickly to fix account hijacking flaw

(LiveHacking.Com) – The last 36 hours have been a bit manic for Microsoft’s Skype business. A vulnerability, that was discovered three months ago, went public when its details were shared on news discussion site Reddit. The flaw allowed malicious users to reset the password for any account without having access to the target account’s email address. Skype’s first move was to disable the password reset function.

To exploit the flaw a new user account needs to be created using an email address that’s already associated with an existing Skype user. If a password change is then requested using the target’s username the “Password token” notification also appears in the Skype client. Clicking a “more info” button for this notification provided the attacker with the password reset link. Visiting the password reset link led to a page on the Skype website that allows for the password to be changed. There is no need for the attacker to have access to the target’s email account.

Dmitry Chestnykh, who is credited with originally finding the bug, has posted a record of a chat conversation with Skype Live Support where he points out to them that he received a Welcome email for a Skype account he didn’t create. It was Skype’s failure to verify email addresses that led to the discovery of the password reset vulnerability. The chat log is from August and if this is true it means that Skype’s password reset mechanism was vulnerable for several months.

After suspending the password reset service, Skype issued a statement in which it said, “This issue affected some users where multiple Skype accounts were registered to the same email address. We suspended the password reset feature temporarily this morning as a precaution.” It then worked to fix the flaw and said it has made “updates to the password reset process today so that it is now working properly.”

Skype says that it believes only “a small number of users” may have been affected by the security vulnerability and that it is reaching out to users who may have been impacted to assist as necessary. It also offered the mandatory we care about security statement, “Skype is committed to providing a safe and secure communications experience to our users and we apologize for the inconvenience.”


In brief: Skype being used to spread DORKBOT worm

(LiveHacking.Com) – Skype is being used to distribute a variant of the DORKBOT worm. Users are being spammed with instant messages saying “lol is this your new profile pic?” If they click on the link (which cunningly includes the username of the recipient) a variant of the DORKBOT malware family is downloaded to the PC.

DORKBOT allows an attacker to take complete control of the PC and includes password theft capabilities for a large number of popular websites including Facebook, Twitter, Google, PayPal, NetFlix and many others. It can also be used to launch a distributed denial-of-service (DDOS) attacks. It can also download other malware to the PC when instructed by the command and control server.

Once the Windows machine has been infected, the worm sends out other “lol” messages to the user on the victim’s contact list. In turn, the unsuspecting recipients think the message was sent from someone they know and click on the link and the cycle starts again.

“Skype takes the user experience very seriously, particularly when it comes to security. We are aware of this malicious activity and are working quickly to mitigate its impact,” said Skype to the BBC. “We strongly recommend upgrading to the newest Skype version and applying updated security features on your computer. Additionally, following links – even when from your contacts – that look strange or are unexpected is not advisable.”

Skype bug sends your instant messages to other recipients

(LiveHacking.Com) – Skype has confirmed that it is looking into a bug which sends some instant messages to other recipients besides the intended user. According to the BBC, who also link to messages from disgruntled users on the Skype forums, messages sent between two users can be being copied to a third party, in “rare circumstances”.

Skype are reportedly working on a fix for the bug, which it seems to have been introduced in an update to the Skype software in June. A Skype moderator replied in the forums with: “Thanks for your reports and sorry for the inconvenience caused by this. We are currently investigating and hope to provide a solution for this soon.” And then the company, which is owned by Microsoft,  told Engadget: “We are aware that in rare circumstances IM’s between two contacts could be sent to an unintended third contact. We are rolling out a fix for this issue in the next few days and will notify our users to download an updated version of Skype.”

According to a statement sent to ZDNet by Skype, “We have identified a bug that we are working hard to fix. This issue occurs only when a user’s Skype client crashes during a Skype IM session, which may in some cases result in the last IM entered or sent prior to the crash being delivered to a different IM contact after the Skype client is rebooted or logged in as a new user.”

The same statement reveals that the Skype clients affected include: Skype 5.9 and 5.10 for Windows, Skype 5.8 for Mac, Skype 4.0 for Linux, Skype 1.2 for Windows Phone, Skype 2.8 for Android and Skype 4.0 for iOS.




Has Skype for iOS Vulnerability Been Fixed?

(LiveHacking.Com) – A new version of Skype (3.5.84) for the iPhone and iPad appeared in the App Store yesterday with lots of new features like Bluetooth support and image stabilization. But the “What’s New” section also mentions “Bugfix for security vulnerability.” Currently Skype are keeping quiet about exactly which “security vulnerability” has been fixed, however it is most likely to be the Cross-Site Scripting vulnerability found in the “Chat Message” window which could allow an attacker to download a copy of the phone’s address book.

The vulnerability, which was found last week, can be exploited by simply sending a specially crafted chat message to a Skype user. Skype uses a locally stored HTML file to display chat messages from other users, however it doesn’t properly encode the incoming users “Full Name”. The result is that an attacker can create some  malicious JavaScript code that runs when the victim views the message.

Skype has a published a blog post about the new iOS version where it explains the new anti-shake feature and the support for Bluetooth, however it mentions nothing about the security fix.

It is recommended that every iPhone/iPad Skype user updates to this new version but it is also worth noting that there have been reports of problems with the new version including 1) Skype Credit not showing 2) Contacts slow to sync 3) Account settings (e.g. photo, name, profile) not appearing.

To remedy these, Skype suggest deleting your Skype app and starting a new installation from scratch. To delete the app, press and hold the app icon on your iPhone, and click the ‘X’. To re-install, return to the AppStore, and install.

Skype for iOS Vulnerability Allows Attacker to Steal Address Book Just By Sending a Chat Message

(LiveHacking.Com) – A Cross-Site Scripting vulnerability has been found in the “Chat Message” window of Skype for iOS. The vulnerability can be exploited by simply sending a specially crafted chat message to a Skype user. Skype uses a locally stored HTML file to display chat messages from other users, however it doesn’t properly encode the incoming users “Full Name”. The result is that an attacker can create some  malicious JavaScript code that runs when the victim views the message.

Because of the way Skype uses the built-in webkit browser any Javascript run via the Chat Message exploit can access the local user file system. Access to files on iOS devices is restricted by the underlying operating system but every iOS application has access to the users AddressBook. This has allowed Phil Purviance to create a proof of concept injection and attack that downloads an user’s address book to a remote server just by sending a Skype Chat Message.

Phil told Skype about the almost a month ago and was told that an update would be released early this month.

Skype says it is aware of the security issue, and had issued the following statement:

“We are working hard to fix this reported issue in our next planned release which we hope to roll out imminently. In the meantime we always recommend people exercise caution in only accepting friend requests from people they know and practice common sense internet security as always.”

Phil also created a video showing the exploit in action:

Skype Code Injection Vulnerability

(LiveHacking.Com) – Noptrix.net has published details of a new a Skype HTML/Javascript code injection vulnerability. Affecting Skype versions <= on Windows (XP, Vista, 7), the advisory describes a persistent code injection vulnerability due to a lack of input validation and output sanitization of home, office and mobile profile entries.

By using this vulnerability an attacker could inject HTML/Javascript code. Noptrix.net has not verified if it’s possible to hijack cookies or to attack the underlying operating system.

Is There an Unpatched Vulnerability in Skype for Mac? Yes and No.

Gordon Maddern caused quite a stir over the weekend when he blogged about a zero day vulnerability in the Mac OS X client of Skype. According to Gordon, who is part of Pure Hacking a security consultancy company, he discovered the vulnerability over a month ago and notified Skype. They responded with “Thank you for showing an interest in skype security, we are aware of this issue and will be addressing it in the next hotfix.” However after a month of silence Gordon decided to go public.

Skype responded quickly saying that the vulnerability has been fixed. “At the time they alerted us, we were already aware of the issue and were working on a fix to protect Skype users from this vulnerability… We subsequently released a hotfix for this problem in a minor update (Skype for Mac version on April 14th.”

However the problem was that since there were no reports of this vulnerability being exploited in the wild, Skype did not prompt its users to install this update, as, according to Skype, “there is another update in the pipeline that will be sent out early next week.”

Gorden has subsequently updated his blog: “We can confirm that skype has fixed this issue in It requires a manual update. All prior versions are vulnerable. According to skype this patch will be pushed out next week.”

To update your Skype for Mac client just click on Skype -> Check for Updates or you can download the software here.

Analysis: Skype got this wrong by not notifying its users of the upgrade. A month is a long time in information security. If another hacker discovered the same flaw and launched an attack it could have harmed Skype’s reputation enormously.

Skype for Android Updated – Fixes Privacy Vulnerability

A few days ago Justin Case of the Android Police web site discovered that the Android version of Skype uses a simple sqlite3 database to store contacts, profile information and instant message logs, but that the permissions of the database where badly set exposing this private information to any other app on the device which cared to take a look.

Now Skype have updated the app to version and in doing so have corrected the permissions on the database files. According to a post on the Skype Security blog Skype “have had no reported examples of any 3rd party malicious application misusing information from the Skype directory on Android devices” but they “will continue to monitor closely.”

Skype is recommending that users update to this new version as soon as possible in order to help protect your information from the Get Skype section on skype.com, or from the Android Market links on skype.com.

According to the Android Police web site Justin Case, who originally found the issue, has taken a look at the updated version and confirmed that the proof-of-concept app he developed to demonstrate the vulnerability no longer functions.

As well as fixing the database permissions Skype have also added 3G calling in the U.S. Previously, calling in the States was only available via Wi-Fi (except for Verizon users who needed to download a special version of the app).

Skype for Android Stores Private Data in Unencrypted DB Accessible by Other Apps

Justin Case of the Android Police web site has discovered that the Android version of Skype uses a simple sqlite3 database to store contacts, profile information and instant message logs. This isn’t bad in itself, but due to a lack of encryption and badly set permissions, this private information is accessible to any other app on the device which cares to take a look.

The databases are stored in the Skype data directory (which has the same name as the configured Skype username). The main database (imaginatively called main.db) has tables for data like account balance, full name, date of birth, city/state/country, home phone, office phone, cell phone, email addresses, webpage, bio and so on. There are also other tables with similar information on the contacts and another table recording the instant messages.

Justin has created a proof-of-concept app that once installed on the device can read the Skype databases. It would be relatively easy for a malicious hacker to create a harmless looking app which in the background snoops around the Skype databases and sends the information to a collection server on the Internet.

Skype has responded to this vulnerability by saying that they “take your privacy very seriously and are working quickly to protect you from this vulnerability, including securing the file permissions on the Skype for Android application.”

They also say that “to protect your personal information, we advise users to take care in selecting which applications to download and install onto their device.”

Web sites can launch iPhone applications without prompting

Specially crafted web sites can launch iPhone and iPod Touch apps without the Safari browser asking the user for permission when certain URL protocol handlers (URL schemes) are called. For instance, according to security researcher Nitesh Dhanjani, a web site can use the iFrame <iframe src=”skype://14085555555?call”></iframe> to launch a Skype app and automatically call a number – provided that the user has saved Skype access data. Criminals would also be able to play around with a number of other applications. For a list of the protocols currently used in the iPhone, see the URL scheme index.

Read the full story here.