"Dameon has now posted a tcpdump packet capture showing a Skype username and password ( http://www.phoneboy.com/2244/proof-of-iskoot-passing-credentials-in-the-clear ). If it were SSL-encrypted there is no way he should be seeing this.". source. I am putting the source info here, in case it would get removed... under pressure from those who don't like this...
"10:29:56.656220 IP 10.3.2.124.43852 > 69.25.76.54.80: P
1:410(409) ack 1 win 64240 <nop,nop,timestamp 415368834
3930262309>
0×0000: 4500 01cd 747d 4000 4506 21e0 0a03 027c E…t}@.E.!….|
0×0010: 4519 4c36 ab4c 0050 1c0c e369 bc2c c4f5 E.L6.L.P…i.,..
0×0020: 8018 faf0 2fba 0000 0101 080a 18c2 0682 …./………..
0×0030: ea43 0b25 4745 5420 2f73 6372 6970 742f .C.%GET./script/
0×0040: 6765 745f 7265 675f 6b65 792e 706c 3f6e get_reg_key.pl?n
0×0050: 616d 653d 696e 7365 6375 7265 2d75 7365 ame=insecure-use
0×0060: 7226 7061 7373 3d69 6e73 6563 7572 652d r&pass=insecure-
0×0070: 7061 7373 776f 7264 2673 6964 3d77 6b53 password&sid=wkS
0×0080: 6870 4363 5933 3962 5426 6275 696c 643d hpCcY39bT&build=
0×0090: 6953 6b6f 6f74 2d53 3630 2664 6576 6963 iSkoot-S60&devic
0×00a0: 653d 4e4f 4b49 412d 4e39 3526 6361 703d e=NOKIA-N95&cap=
0×00b0: 6368 6174 3a32 2c70 7573 683a 3226 6e65 chat:2,push:2&ne
0×00c0: 7477 6f72 6b3d 736b 7970 6526 6c61 6e67 twork=skype&lang
0×00d0: 3d45 4e26 7665 7273 696f 6e3d 312e 312e =EN&version=1.1.
0×00e0: 3539 2661 6374 3d31 2666 7764 6e62 723d 59&act=1&fwdnbr=
0×00f0: 2532 4231 3336 3039 3831 3634 3136 2666 %2B13609816416&f
0×0100: 6972 7374 7573 653d 3230 3038 2d30 342d irstuse=2008-04-
0×0110: 3236 2d30 302d 3537 2673 6571 3d36 2663 26-00-57&seq=6&c
0×0120: 6c69 643d 556e 6176 6169 6c61 626c 6520 lid=Unavailable.
0×0130: 4854 5450 2f31 2e31 0d0a 486f 7374 3a20 HTTP/1.1..Host:.
0×0140: 6973 6b2d 626f 732d 6170 7031 2e69 736b isk-bos-app1.isk
0×0150: 6f6f 742e 636f 6d0d 0a41 6363 6570 743a oot.com..Accept:
0×0160: 2074 6578 742f 706c 6169 6e0d 0a55 7365 .text/plain..Use
0×0170: 722d 4167 656e 743a 2069 536b 6f6f 7420 r-Agent:.iSkoot.
0×0180: 5379 6d62 6961 6e0d 0a58 2d4e 6f6b 6961 Symbian..X-Nokia
0×0190: 2d4d 7573 6963 5368 6f70 2d56 6572 7369 -MusicShop-Versi
0×01a0: 6f6e 3a20 312e 302e 300d 0a58 2d4e 6f6b on:.1.0.0..X-Nok
0×01b0: 6961 2d4d 7573 6963 5368 6f70 2d42 6561 ia-MusicShop-Bea
0×01c0: 7265 723a 2057 4c41 4e0d 0a0d 0a rer:.WLAN…."
My take is that this kind of security flaws in whatever attaches itself to skype is lethal for the trust of users in Skype and it's partners. Don't forget that Iskoot is Skype certified. So there is no hiding this time...
I hope this problem is solved, so the security skype bloggers can start ranting about something else. In mean time be happy that you can call for "free" and change your password on regular basis.
In the end, this kind of publicity is not what both companies should be looking for...
I like it.
I don't like it.
Recent Comments