Infosec bods: This is a backdoor in Skype for Macs. Microsoft: No.
Dodgy API let apps and plugins silently pry into chat logs, record calls and more
A security hole in Skype for OS X allowed installed apps to silently delve into the user's chat logs, record their calls, and leaf through their contacts.
The authentication bypass vulnerability was discovered by security researchers at Trustwave SpiderLabs, which described the flaw as a backdoor that allowed access to all manner of sensitive content. Skype provides a software interface for applications and plugins to tap into so they use Redmond's internet chat service – although they're supposed to obtain permission to do so.
In an advisory note this week, the SpiderLabs crew wrote:
An authentication bypass was discovered in the Desktop API offered by Skype for Mac OS X whereby a local program could bypass authentication if they identified themselves as a Skype Dashboard widget program. As such, a local program could attach to the Skype Desktop API without informing the user and asking for permission to attach if they utilised a ‘clientAppName’ value of “Skype Dashbd Wdgt Plugin”. For instance, the proof-of-concept code below will initiate the connection process without asking the user for permission for the process to attach:NSDistributedNotificationCenter *defaultCenter = [NSDistributedNotificationCenter defaultCenter]; [defaultCenter postNotificationName:@"SKSkypeAPIAttachRequest" object:(__bridge NSString *) CFSTR("Skype Dashbd Wdgt Plugin")];
Microsoft Skype for Mac OS X versions 7.35 and earlier are vulnerable. Mac users are advised to update to version 7.37 or later to steer clear of the security blunder.
Microsoft acknowledged the vulnerability but disputes that it amounted to a backdoor. Redmond doesn’t do backdoors, as a statement from the software giant emphasizes:
We don’t build backdoors into our products, but we do continuously improve the product experience as well as product security, and encourage customers to always upgrade to the latest version.
Trustwave reckons that the suspect functionality may have shipped with versions of Skype dating back more than five years. Accessing the so-called backdoor would have been rather easy to exploit for malware and any other naughty programs installed on the machine.
For what it's worth, the Desktop API is being discontinued and gradually phased out of the Skype application across all platforms, we're told. Where supported, the technology offers access to all manner of sensitive content, including: notifications of incoming messages (and their contents), modifying messages and creating chat sessions, and the ability to log and record Skype call audio to disk and retrieve user contacts.
In later versions of the Desktop API, access to text messages was dropped but access to other features remained. ®