Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

Infosec bods: This is a backdoor in Skype for Macs. Microsoft: No.

Dodgy API let apps and plugins silently pry into chat logs, record calls and more

A security hole in Skype for OS X allowed installed apps to silently delve into the user's chat logs, record their calls, and leaf through their contacts.

The authentication bypass vulnerability was discovered by security researchers at Trustwave SpiderLabs, which described the flaw as a backdoor that allowed access to all manner of sensitive content. Skype provides a software interface for applications and plugins to tap into so they use Redmond's internet chat service – although they're supposed to obtain permission to do so.

In an advisory note this week, the SpiderLabs crew wrote:

An authentication bypass was discovered in the Desktop API offered by Skype for Mac OS X whereby a local program could bypass authentication if they identified themselves as a Skype Dashboard widget program. As such, a local program could attach to the Skype Desktop API without informing the user and asking for permission to attach if they utilised a ‘clientAppName’ value of “Skype Dashbd Wdgt Plugin”. For instance, the proof-of-concept code below will initiate the connection process without asking the user for permission for the process to attach:

  NSDistributedNotificationCenter *defaultCenter =
        [NSDistributedNotificationCenter defaultCenter];
  [defaultCenter postNotificationName:@"SKSkypeAPIAttachRequest"
                 object:(__bridge NSString *) CFSTR("Skype Dashbd Wdgt Plugin")];

Microsoft Skype for Mac OS X versions 7.35 and earlier are vulnerable. Mac users are advised to update to version 7.37 or later to steer clear of the security blunder.

Microsoft acknowledged the vulnerability but disputes that it amounted to a backdoor. Redmond doesn’t do backdoors, as a statement from the software giant emphasizes:

We don’t build backdoors into our products, but we do continuously improve the product experience as well as product security, and encourage customers to always upgrade to the latest version.

Trustwave reckons that the suspect functionality may have shipped with versions of Skype dating back more than five years. Accessing the so-called backdoor would have been rather easy to exploit for malware and any other naughty programs installed on the machine.

For what it's worth, the Desktop API is being discontinued and gradually phased out of the Skype application across all platforms, we're told. Where supported, the technology offers access to all manner of sensitive content, including: notifications of incoming messages (and their contents), modifying messages and creating chat sessions, and the ability to log and record Skype call audio to disk and retrieve user contacts.

In later versions of the Desktop API, access to text messages was dropped but access to other features remained. ®

 

Similar topics

TIP US OFF

Send us news


Other stories you might like