Apr 14 AT 9:30 PM Alberto Vildosola 25 Comments

Warning: Skype vulnerability leaves your private information out in the open

The guys at AndroidPolice have come across a quite serious vulnerability in the Skype for Android app. The hack allows any other application to access a whole lot of personal information  like “account balance, full name, date of birth, city/state/country, home phone, office phone, cell phone, email addresses, your webpage, your bio, and more.” That’s a lot! Apparently, Skype forgot to add encryption to the databases that store all this data. Really, Skype, really?

Justin from AndroidPolice went ahead and built an app that shows how the vulnerability is exploited. You can download the app here if you want to understand how the Skype app gives out your info like it’s free candy. Skype already responded saying that it’s investigating the issue. You can probably expect the company to push an update tomorrow. Here’s a video on how the hack is achieved. Meanwhile, stay away from downloading shady apps — at least until Skype fixes this.

Via: AndroidPolice

Alberto is a college student living somewhere between Miami, Sarasota and the World Wide Web. Although a former iPhone owner, Alberto is now a proud Android enthusiast. You can follow Alberto on Twitter and Google+ for his thoughts unworthy of an article.

    Most Tweeted This Week

  • http://Website Keith

    And that is why you are the police. Thanks for the report.

  • http://Website Jamal Jenkins (JJ)

    I don’t have to worry about this since I have the iPhone 4. Thank you, Mr. Jobs.

    • http://Website Justin Case

      No, you just have to worry about remote root exploits (remote jailbreak) instead.

  • http://Website Mark

    Thankfully, I don’t have Skype installed but it’s a bit disturbing because if someone that had the time actually managed to look through just a few hundred of the thousands of apps in the Market, I’m sure they would find bigger exploits than this. I mean if a company as big as Skype can have such a huge security gap who knows what the smaller companies are doing. Scary…

    • http://www.instantmagique.net Benn

      Not many apps have sensitive information the way skype does. It’s ok if say Angry Birds has that kind of vulnerability, all the hacking app might get out of it is your high scores. The problem with skype is it has more personal info than most apps.

  • http://Website Richard Yarrell

    Just disgraceful skype

  • http://Website youneek

    All of this information is available publicly anyway through Skype so this is just another post trying to scare people.

    • http://clarklab.net Clark Wimberly

      Skype displays your real name, real phone number, real address, etc on a public facing profile? I didn’t know that. Where do you see this info / disable it?

      • http://Website Justin Case

        It doesn;t/

    • http://Website Justin Case

      Thanks for your in depth investigation (not), however mine was better. Skype does not expose this information publicly.

      I was able to retrieve some login credentials through Skypwned, but removed the feature before publishing.

      Please read stuff and pay attention before responding.

  • http://infozonex.blogspot.com/search/label/Android Android

    i never heard of that , skype didn’t show any information at all like this .. Android

  • http://Website Maurits

    This should note that this is in the LEAKED version that’s been floating around that was dissected by Mr. Case as above.

    The headline of this post is no better than CNN when they give news like “10.1 Earthquake Strikes the Atlantic” and in the body it reads “in an area where there are no islands or people whatsoever”.

    • http://Website Justin Case

      You should read the original source, it affects the leak, and the publicly available one on the market.

  • http://Website Steve

    I just got this from skype:

    Thank you for contacting Skype Customer Service.

    We are sorry to hear that you’re having problems with Skype security. We will do our very best to help you with this.

    We checked the link that you posted on your email and we can confirm that the issue about Skype security is definitely not true.

    Skype takes your privacy very seriously. We have a built-in privacy feature that can restrict who is able and who is not able to contact you or who can use your account that’s why we provided Skype Name and password.

    Skype is a peer-to-peer (P2P) application. Peer-to-peer makes it possible for multiple computers running the same P2P software to communicate and participate in traffic routing, processing and other bandwidth intensive tasks that are usually performed by a central server. P2P allows sharing files containing audio, video, data and real-time data.

    Skype has no single “critical node” that it relies on to operate which makes it incredibly reliable. Skype consists of three types of peer nodes: ordinary nodes, supernodes and relay nodes. Ordinary nodes run the Skype client. They’re the most common, and are what users normally see when they install and use Skype. Supernodes are peer nodes that also perform functions such as assisting with searching for the location of other nodes. These supernodes are not dedicated and come and go. They are not servers; supernodes are regular user computers that run the Skype client, but also temporarily perform other functions.Only a very small percentage of Skype users (if any) become supernodes, mainly because the majority of users have no public IP address. Relay nodes relay media and signalling information between nodes that otherwise can’t reach each other, normally because of firewall permissions or problems traversing NAT (network address translation). Relay nodes aren’t party to the communication content and can’t view or decipher it.

    We’re committed to secure communications and protecting our users’ privacy. We follow the latest best practice in security, including:

    Encryption of data end-to-end with 256-bit AES encryption keys.
    Protection of encryption keys which aren’t revealed to users or escrowed to third parties and are discarded when the session ends.
    Use of credential-based identities and end-to-end encryption to make ‘man-in-the-middle’ attacks very unlikely.
    Our security model also prevents anyone with a supernode or relay node from interfering with, or capturing any part of, a Skype communication, even if they can collect or sniff network data packets. It also makes it very difficult for anybody to eavesdrop on content by installing an internet computer in the theoretical path of Skype traffic.

    No one can guarantee complete anonymity or secrecy. However, our transport layer encryption uses the Advanced Encryption Standard (AES) algorithm. This makes it very unlikely that your Skype communications will be intercepted or decrypted over the P2P network. We use both public and private keys to secure all signals over the P2P network, as well as communications content. Our cryptographic model uses public-key and symmetric-key cryptography, including the AES algorithm in 256-bit integer counter-mode. We also use the 1024-bit RSA algorithm to negotiate symmetric AES keys. User’s public keys are certified at login using 1536 or 2048-bit RSA certificates.

    For more information on Skype P2P, please visit:

    http://www.skype.com/intl/en/support/user-guides/p2pexplained/

    For more information on Skype VoIP, please visit:

    http://www.skype.com/intl/en/support/user-guides/voip

    We hope you found this answer helpful. Should you need any further assistance or have additional questions please do not hesitate to contact us again.

    Best regards,

    Lorie Teena
    Skype Customer Service

    • http://Website House

      The issue is not with skype’s security of handling your calls and what not to other users. (which that have described nicely throwing as much technical jargon around as possible)

      Its the way in which they store your details on YOUR personal phone. they are readable by anyone outside of the skype app….

      A simple malicious app could be installed which would read this data…(your phone number, name, address, email and your contacts details as well) then send/ sell it to whoever) to avoid it you can simply be careful of what you install until they fix it, or don’t install anything at all.

    • http://Website Justin Case
  • http://evelio.info evelio

    bah rooted phones only and with su granted

    • http://Website House

      wrong – try again

    • http://Website Justin Case

      bah another person who can’t read (or see apparently since I provided a video).

  • http://Website Daniel

    No, the mistake is not in not encrypting (encryption would be nearly useless here), but in leaving it world-readable.

  • http://Website House

    Just reading through..did ANYONE actually read the article at all?

    This hole thing is purely because of sloppy / poor programming on skype’s part. As far as I can tell from Justin’s article on android police it shouldn’t even be that hard to fix. its just careless that a company which handles so much personally identifiable information does not act responsibly with it.

    I hope apps like facebook don’t leave all of my contacts details and my correspondence with them openly available to read on my phones memory. I mean this is part of the fundamental reason you have passwords for accounts and the ability to log out on your phone so even if someone opened the app they still couldnt see any information.

  • http://www.dewimorgan.com Dewi Morgan

    Trouble with encrypting it is that it’s trivial to break clientside encryption. In the industry, we call this kind of encryption “DRM”, and sneer at it, because we know it’s purely cosmetic.

    If one legitimate app can access and decode information stored on your phone, then *any other app on the phone* can also do the same.

    The problem, you see, is that in order to decrypt the encrypted stuff, the legit app needs to store the key to the encrypted data. If it stores the key in a way it can read, then you have the same problem you had with a readable database, but with the key: the key can be read by any app on the system. Which means, it can be used to read the data it protects, by any app on the system.

    So clientside encryption is security through obscurity at best. At worst, it’s security theatre; getting programmers to do something they know is ineffective against a determined attacker, just to make users think they’re safer.

    This has been an issue with all OS’s since the early days. The way it tends to be addressed is access permissions, but in most OS’s these are user-based. So, to make an app’s data secure, it needs to create a new, unique user, and run as that user. But if the legit app can be installed to make and run as a new user, what’s stopping any other app from installing itself to do the same, and run as the same-named user? Nothing.

    Another way it’s addressed is to have a shared secret (ie a password or similar) that the user must type into the application in order to unlock the encrypted area. But these are rife with problems: an app running on the same phone can trivially install a keyboard sniffer; passwords tend to be far less secure than cryptographic keys; and most importantly, users

    So, clientside security is a myth.

    • http://www.dewimorgan.com Dewi Morgan

      Erp, sent before finishing sentence: “and most importantly, users…” tend to want to store their password locally rather than type it in every time, so once again you’re storing the keys to the house under the doormat.

  • http://Website Gjpenn

    This is why i choose only dedicated VoIP based on ATA instead. I use Axvoice and Ooma and till this date hadn’t had any kind of privacy issues. Choose your service wisely :) .

  • Kirk

    This inflames me. Skype’s Legal Terms and “Privacy” terms are horrid. They store your instant message logs, voice calls, video calls for up to 30-60 days unless otherwise told by the law to hold your data longer. For any reason permitted they will hold your data and personal information near ransom.

    This thread here makes me never want to use Skype’s service again. I didn’t pay for my Skype Subscription to be monitored and be a honeypot of information / personal data. Skype is a joke and I would rather use any other voip service. Skype is the reason we should all fear putting any type of legitimate personal information on the internet.