Apr 14 AT 9:30 PM Alberto Vildosola 25 Comments

Warning: Skype vulnerability leaves your private information out in the open

The guys at AndroidPolice have come across a quite serious vulnerability in the Skype for Android app. The hack allows any other application to access a whole lot of personal information like “account balance, full name, date of birth, city/state/country, home phone, office phone, cell phone, email addresses, your webpage, your bio, and more.” That’s a lot! Apparently, Skype forgot to add encryption to the databases that store all this data. Really, Skype, really?

Justin from AndroidPolice went ahead and built an app that shows how the vulnerability is exploited. You can download the app here if you want to understand how the Skype app gives out your info like it’s free candy. Skype already responded saying that it’s investigating the issue. You can probably expect the company to push an update tomorrow. Here’s a video on how the hack is achieved. Meanwhile, stay away from downloading shady apps — at least until Skype fixes this.

Via: AndroidPolice

Most Tweeted This Week

White Nexus 4 and Android 4.3 coming June 10th

Updated: HTC employee teases Google Experience HTC One

Google updating Android without updating Android is the biggest news out of I/O 2013

25 Comments Join the discussion!

KeithGuest 04/14/11 9:37 PM

Thumb up Thumb down 0
And that is why you are the police. Thanks for the report.

Reply
Jamal Jenkins (JJ)Guest 04/14/11 10:01 PM

Thumb up Thumb down 0
I don’t have to worry about this since I have the iPhone 4. Thank you, Mr. Jobs.

Reply
- Justin CaseGuest 04/15/11 1:26 AM
  
  Thumb up Thumb down 0
  No, you just have to worry about remote root exploits (remote jailbreak) instead.
  
  Reply
MarkGuest 04/14/11 10:05 PM

Thumb up Thumb down 0
Thankfully, I don’t have Skype installed but it’s a bit disturbing because if someone that had the time actually managed to look through just a few hundred of the thousands of apps in the Market, I’m sure they would find bigger exploits than this. I mean if a company as big as Skype can have such a huge security gap who knows what the smaller companies are doing. Scary…

Reply
- BennGuest 04/15/11 9:48 AM
  
  Thumb up Thumb down 0
  Not many apps have sensitive information the way skype does. It’s ok if say Angry Birds has that kind of vulnerability, all the hacking app might get out of it is your high scores. The problem with skype is it has more personal info than most apps.
  
  Reply
Richard YarrellGuest 04/14/11 11:46 PM

Thumb up Thumb down 0
Just disgraceful skype

Reply
youneekGuest 04/14/11 11:51 PM

Thumb up Thumb down 0
All of this information is available publicly anyway through Skype so this is just another post trying to scare people.

Reply
- 98 Clark Wimberly 04/15/11 12:03 AM
  
  Thumb up Thumb down 0
  Skype displays your real name, real phone number, real address, etc on a public facing profile? I didn’t know that. Where do you see this info / disable it?
  
  Reply
  - Justin CaseGuest 04/15/11 1:25 AM
    
    Thumb up Thumb down 0
    It doesn;t/
    
    Reply
- Justin CaseGuest 04/15/11 1:25 AM
  
  Thumb up Thumb down 0
  Thanks for your in depth investigation (not), however mine was better. Skype does not expose this information publicly.
  
  I was able to retrieve some login credentials through Skypwned, but removed the feature before publishing.
  
  Please read stuff and pay attention before responding.
  
  Reply
AndroidGuest 04/15/11 1:22 AM

Thumb up Thumb down 0
i never heard of that , skype didn’t show any information at all like this .. Android

Reply
MauritsGuest 04/15/11 2:30 AM

Thumb up Thumb down 0
This should note that this is in the LEAKED version that’s been floating around that was dissected by Mr. Case as above.

The headline of this post is no better than CNN when they give news like “10.1 Earthquake Strikes the Atlantic” and in the body it reads “in an area where there are no islands or people whatsoever”.

Reply
- Justin CaseGuest 04/15/11 4:24 PM
  
  Thumb up Thumb down 0
  You should read the original source, it affects the leak, and the publicly available one on the market.
  
  Reply
SteveGuest 04/15/11 2:47 AM

Thumb up Thumb down 0
I just got this from skype:

Thank you for contacting Skype Customer Service.

We are sorry to hear that you’re having problems with Skype security. We will do our very best to help you with this.

We checked the link that you posted on your email and we can confirm that the issue about Skype security is definitely not true.

Skype takes your privacy very seriously. We have a built-in privacy feature that can restrict who is able and who is not able to contact you or who can use your account that’s why we provided Skype Name and password.

Skype is a peer-to-peer (P2P) application. Peer-to-peer makes it possible for multiple computers running the same P2P software to communicate and participate in traffic routing, processing and other bandwidth intensive tasks that are usually performed by a central server. P2P allows sharing files containing audio, video, data and real-time data.

Skype has no single “critical node” that it relies on to operate which makes it incredibly reliable. Skype consists of three types of peer nodes: ordinary nodes, supernodes and relay nodes. Ordinary nodes run the Skype client. They’re the most common, and are what users normally see when they install and use Skype. Supernodes are peer nodes that also perform functions such as assisting with searching for the location of other nodes. These supernodes are not dedicated and come and go. They are not servers; supernodes are regular user computers that run the Skype client, but also temporarily perform other functions.Only a very small percentage of Skype users (if any) become supernodes, mainly because the majority of users have no public IP address. Relay nodes relay media and signalling information between nodes that otherwise can’t reach each other, normally because of firewall permissions or problems traversing NAT (network address translation). Relay nodes aren’t party to the communication content and can’t view or decipher it.

We’re committed to secure communications and protecting our users’ privacy. We follow the latest best practice in security, including:

Encryption of data end-to-end with 256-bit AES encryption keys.
Protection of encryption keys which aren’t revealed to users or escrowed to third parties and are discarded when the session ends.
Use of credential-based identities and end-to-end encryption to make ‘man-in-the-middle’ attacks very unlikely.
Our security model also prevents anyone with a supernode or relay node from interfering with, or capturing any part of, a Skype communication, even if they can collect or sniff network data packets. It also makes it very difficult for anybody to eavesdrop on content by installing an internet computer in the theoretical path of Skype traffic.

No one can guarantee complete anonymity or secrecy. However, our transport layer encryption uses the Advanced Encryption Standard (AES) algorithm. This makes it very unlikely that your Skype communications will be intercepted or decrypted over the P2P network. We use both public and private keys to secure all signals over the P2P network, as well as communications content. Our cryptographic model uses public-key and symmetric-key cryptography, including the AES algorithm in 256-bit integer counter-mode. We also use the 1024-bit RSA algorithm to negotiate symmetric AES keys. User’s public keys are certified at login using 1536 or 2048-bit RSA certificates.

For more information on Skype P2P, please visit:

http://www.skype.com/intl/en/support/user-guides/p2pexplained/

For more information on Skype VoIP, please visit:

http://www.skype.com/intl/en/support/user-guides/voip

We hope you found this answer helpful. Should you need any further assistance or have additional questions please do not hesitate to contact us again.

Best regards,

Lorie Teena
Skype Customer Service

Reply
- HouseGuest 04/15/11 10:22 AM
  
  Thumb up Thumb down 0
  The issue is not with skype’s security of handling your calls and what not to other users. (which that have described nicely throwing as much technical jargon around as possible)
  
  Its the way in which they store your details on YOUR personal phone. they are readable by anyone outside of the skype app….
  
  A simple malicious app could be installed which would read this data…(your phone number, name, address, email and your contacts details as well) then send/ sell it to whoever) to avoid it you can simply be careful of what you install until they fix it, or don’t install anything at all.
  
  Reply
- Justin CaseGuest 04/15/11 4:27 PM
  
  Thumb up Thumb down 0
  Lolwut, skype confirmed it
  
  http://blogs.skype.com/security/2011/04/privacy_vulnerability_in_skype.html
  
  Reply
evelioGuest 04/15/11 7:56 AM

Thumb up Thumb down 0
bah rooted phones only and with su granted

Reply
- HouseGuest 04/15/11 10:26 AM
  
  Thumb up Thumb down 0
  wrong – try again
  
  Reply
- Justin CaseGuest 04/15/11 4:28 PM
  
  Thumb up Thumb down 0
  bah another person who can’t read (or see apparently since I provided a video).
  
  Reply
DanielGuest 04/15/11 8:10 AM

Thumb up Thumb down +1
No, the mistake is not in not encrypting (encryption would be nearly useless here), but in leaving it world-readable.

Reply
HouseGuest 04/15/11 10:35 AM

Thumb up Thumb down 0
Just reading through..did ANYONE actually read the article at all?

This hole thing is purely because of sloppy / poor programming on skype’s part. As far as I can tell from Justin’s article on android police it shouldn’t even be that hard to fix. its just careless that a company which handles so much personally identifiable information does not act responsibly with it.

I hope apps like facebook don’t leave all of my contacts details and my correspondence with them openly available to read on my phones memory. I mean this is part of the fundamental reason you have passwords for accounts and the ability to log out on your phone so even if someone opened the app they still couldnt see any information.

Reply
Dewi MorganGuest 04/15/11 12:00 PM

Thumb up Thumb down 0
Trouble with encrypting it is that it’s trivial to break clientside encryption. In the industry, we call this kind of encryption “DRM”, and sneer at it, because we know it’s purely cosmetic.

If one legitimate app can access and decode information stored on your phone, then *any other app on the phone* can also do the same.

The problem, you see, is that in order to decrypt the encrypted stuff, the legit app needs to store the key to the encrypted data. If it stores the key in a way it can read, then you have the same problem you had with a readable database, but with the key: the key can be read by any app on the system. Which means, it can be used to read the data it protects, by any app on the system.

So clientside encryption is security through obscurity at best. At worst, it’s security theatre; getting programmers to do something they know is ineffective against a determined attacker, just to make users think they’re safer.

This has been an issue with all OS’s since the early days. The way it tends to be addressed is access permissions, but in most OS’s these are user-based. So, to make an app’s data secure, it needs to create a new, unique user, and run as that user. But if the legit app can be installed to make and run as a new user, what’s stopping any other app from installing itself to do the same, and run as the same-named user? Nothing.

Another way it’s addressed is to have a shared secret (ie a password or similar) that the user must type into the application in order to unlock the encrypted area. But these are rife with problems: an app running on the same phone can trivially install a keyboard sniffer; passwords tend to be far less secure than cryptographic keys; and most importantly, users

So, clientside security is a myth.

Reply
- Dewi MorganGuest 04/15/11 12:03 PM
  
  Thumb up Thumb down 0
  Erp, sent before finishing sentence: “and most importantly, users…” tend to want to store their password locally rather than type it in every time, so once again you’re storing the keys to the house under the doormat.
  
  Reply
GjpennGuest 07/21/11 11:20 AM

Thumb up Thumb down 0
This is why i choose only dedicated VoIP based on ATA instead. I use Axvoice and Ooma and till this date hadn’t had any kind of privacy issues. Choose your service wisely :) .

Reply
KirkGuest 12/10/12 7:07 AM

Thumb up Thumb down 0
This inflames me. Skype’s Legal Terms and “Privacy” terms are horrid. They store your instant message logs, voice calls, video calls for up to 30-60 days unless otherwise told by the law to hold your data longer. For any reason permitted they will hold your data and personal information near ransom.

This thread here makes me never want to use Skype’s service again. I didn’t pay for my Skype Subscription to be monitored and be a honeypot of information / personal data. Skype is a joke and I would rather use any other voip service. Skype is the reason we should all fear putting any type of legitimate personal information on the internet.

Reply

Android and Me

Google reveals Samsung Galaxy S 4 Nexus Edition

Android passes 900 million devices activated

Best no-contract plans for unlocked Android devices

Best unlocked Android phone for any budget

Warning: Skype vulnerability leaves your private information out in the open

Most Tweeted This Week

White Nexus 4 and Android 4.3 coming June 10th

Updated: HTC employee teases Google Experience HTC One

Google updating Android without updating Android is the biggest news out of I/O 2013