Reported Vulnerability in Skype for Android Exposes Personal Information
A vulnerability in Skype’s app for Android has been discovered that exposes names, e-mail addresses, phone numbers, contacts, and chat logs. Justin Case over at Android Police published the exploit after downloading a leaked version of Skype Video. He discovered an easy exploit for information stored in the app and then applied the methodology to the current Skype app for Android, available since October 2010.
On April 11, a leaked version of Skype Video hit the web and, having a Thunderbolt, I had to try it. My first impressions of it were positive, it worked and ran smoothly. My next reaction was, you guessed it: let’s take it apart. What I discovered was just how poorly this app stored private user data.
I quickly came up with an exploit, and I was in shock at just how much information I could harvest. Everything was available to the rogue app I created, without the need for root or any special permissions.
Surely, only this leaked beta build was vulnerable, or so I thought. But upon examining the standard version of Skype for Android (which has been available since October 2010) I discovered the same vulnerability – meaning this affects all of the at least 10 million users of the app.
The breach does not expose passwords or financial information, but it does lay bare a great deal of personal information. Also noted by Case, “Skype Mobile for Verizon” appears to be unaffected.
The developer included an explanation of how the exploit works (which is barely even that), a proof of concept, and how Skype might fix it. He also mentions that the data exists in raw form, unencrypted and open—which allows any user or program to just see the data with the permissions broken as they were. The upload sparked the age-old question of 0-day exploit releases by security vendors verses keeping them secret and only contacting the company who could then fix them.
In short order, Skype mentioned that they were investigating the news and have published a reply that acknowledges the problem,
It has been brought to our attention that, were you to install a malicious third-party application onto your Android device, then it could access the locally stored Skype for Android files.
These files include cached profile information and instant messages. We take your privacy very seriously and are working quickly to protect you from this vulnerability, including securing the file permissions on the Skype for Android application.
To protect your personal information, we advise users to take care in selecting which applications to download and install onto their device.
Since it would take a rogue app with knowledge of this information to steal from the Skype app, a user would first have to download that app. Basic common sense used for all Internet application downloads and hygienic behavior would protect most users from losing their information to this sort of breach. Earlier this year, concerns of Android malware drove marketing campaigns for anti-virus and security apps for the mobile technology, so we’ll have to see if one of those vendors has seen malware that targets this exploit.
It is unknown how long the exploitable permissions have existed and there’s no news of any rogue apps in the wild that use this exploit, so Skype may have dodged a bullet here.
A message from John Furrier, co-founder of SiliconANGLE:
Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.
We really want to hear from you, and we’re looking forward to seeing you at the event and in theCUBE Club.