The Blog known as Skype-watch.com, Skype-gadgets.com.: Q. : Exploitation of any security flaws in the Skype client ? A. : "We have not had any known exploitation of Skype vulnerabilities." and now read my take on this.

04 January 2007

Q. : Exploitation of any security flaws in the Skype client ? A. : "We have not had any known exploitation of Skype vulnerabilities." and now read my take on this.

The skype worm has been released A question and the relating answer that struck my attention in this interview between ZDNET and Skype’s chief security officer, Kurt Sauer.(source)

«Do you see any exploitation of any security flaws in the Skype client? Have Skype users been under attack?
Sauer: We have not had any known exploitation of Skype vulnerabilities. Vulnerabilities divide themselves into different categories and we have not seen attack vectors in Skype's products that allow worms or viruses to replicate. Instead, they have tended to be one-off problems that can cause Skype to fail.»

Here is my take. It is a good answer and it is problably right. The essence is that nobody knows what is in the code of Skype so evaluating what holes it drills into whatever security you have setup, is kind of difficult…

I wonder why the below topics were not highlighted in this interview (maybe too sensitive or «not relevant») :

the presence of dual, triple, quadruple login facility in Skype on the same account without notification (goes for the web-control panel and the client-login) which can lead to easy access to contact-lists, ongoing chats and files being send. You simply have no idea if there has been a password that leaked out. They only thing you can do is reset your password and then change it withing the Skype client itself (that is how I do it, safe enough for me, but I wonder how many people know this).
the sending of passwords by skype (available via a public password reset feature via https://) in clear text to the mailbox of the end-user is not safe. Any basic sniffer can intercept such information by scanning tcp-ip packages that are floating on the net. On top of that, it only takes one corrupt mail-server administrator or helpdesk guy on the mail-server to start looking into such information to get hold of your contact-list. Even you reset the password also, they will have seen your contact-list for long enough to be able to download it. I don’t feel comfortable with such a type of Skype phone in my hand.
the fact that there are applications on the globe that are currently sucking up all data that a skype user has published (thrusting in good faith the security of Skype, thinking that they are in a way protected). Anybody could start doing «strange» things with those phonenumbers, email-addresses. I can’t even start to imagine the list of potential abuses on the level of identity-theft, spamming, stalking, fraude, impersonation and so on. It makes me shiver that such a system (with no real authentication whatsoever in relation to the true identity of the user) will be linked to the Paypal payment system. Maybe I am exaggerating… We’ll see.
the fact that many users can and have simply filled in their email-address into the Skype Real name field is a liability, since that same email-address is ofen used for the password reset procedure (the user should not be allowed to fill in an email-address in that field).
the fact that anybody can create any account from anywhere at any time without any credentials (even yours) without notification to the owner of the email-address, well okay «so be it» some say, but it surely put big question mark on the business-usability of this current infrastructure. I would like to be informed when somebody fills in an email-address of the domain-name I am managing into a Skype ID. If somebody fills in my email-address in a Skype ID, I would like to receive an email before the account is activated.

Those are some of the issues that should be solved. I don’t want a «secure» Skype solution that allows others (who-ever it might be) to login (without notification to the owner of the box) to my Skype ID.

I would even suggest that that achillesheal is left there for a reason… It is the small hole through a whole bunch of mice or rats can crawl in and it should not be the case.

I have said the above things many time. It is about time something is done about it. I am sure Skype will fix it.

04 January 2007 in Networking / Security, VoIP / Skype | Permalink

Comments

The skype worm has been released A question and the relating answer that struck my attention in this interview between ZDNET and Skype’s chief security officer, Kurt Sauer.(source)

I wonder why the below topics were not highlighted in this interview (maybe too sensitive or «not relevant») :

the presence of dual, triple, quadruple login facility in Skype on the same account without notification (goes for the web-control panel and the client-login) which can lead to easy access to contact-lists, ongoing chats and files being send. You simply have no idea if there has been a password that leaked out. They only thing you can do is reset your password and then change it withing the Skype client itself (that is how I do it, safe enough for me, but I wonder how many people know this).
the sending of passwords by skype (available via a public password reset feature via https://) in clear text to the mailbox of the end-user is not safe. Any basic sniffer can intercept such information by scanning tcp-ip packages that are floating on the net. On top of that, it only takes one corrupt mail-server administrator or helpdesk guy on the mail-server to start looking into such information to get hold of your contact-list. Even you reset the password also, they will have seen your contact-list for long enough to be able to download it. I don’t feel comfortable with such a type of Skype phone in my hand.
the fact that there are applications on the globe that are currently sucking up all data that a skype user has published (thrusting in good faith the security of Skype, thinking that they are in a way protected). Anybody could start doing «strange» things with those phonenumbers, email-addresses. I can’t even start to imagine the list of potential abuses on the level of identity-theft, spamming, stalking, fraude, impersonation and so on. It makes me shiver that such a system (with no real authentication whatsoever in relation to the true identity of the user) will be linked to the Paypal payment system. Maybe I am exaggerating… We’ll see.
the fact that many users can and have simply filled in their email-address into the Skype Real name field is a liability, since that same email-address is ofen used for the password reset procedure (the user should not be allowed to fill in an email-address in that field).
the fact that anybody can create any account from anywhere at any time without any credentials (even yours) without notification to the owner of the email-address, well okay «so be it» some say, but it surely put big question mark on the business-usability of this current infrastructure. I would like to be informed when somebody fills in an email-address of the domain-name I am managing into a Skype ID. If somebody fills in my email-address in a Skype ID, I would like to receive an email before the account is activated.

I would even suggest that that achillesheal is left there for a reason… It is the small hole through a whole bunch of mice or rats can crawl in and it should not be the case.

I have said the above things many time. It is about time something is done about it. I am sure Skype will fix it.

Blog disclaimer

This is a personal weblog. The opinions expressed here represent my own and not those of my previous or current employer(s) and/or businesspartner(s). This blog is NOT affiliated with Skype. Skype is a trademark of Skype Limited. Any trademarks belong to the respective owners. This blog is slightly satirical and contains a heavy dose or irony if not sarcasm. Get used to it. For cleaned up marketing and PR stories please visit the original websites. I am quite sure you will notice the difference.

Traffic value of this site