Wednesday, February 2, 2011

Skype 5.0 Fixes Autodial and No-UI-dial Vulnerabilities

Well, it seems like Skype didn't bother to tell anyone to update to 5.0 for security reasons.  I've been waiting for this release patiently, for months and months, since I reported this bug to them.  Now that it is fixed, I'll disclose the bug myself.  It seems like Skype has a poor excuse for a security response team, though.  From people I have talked to, it seems like you cannot trust them to get back to security researchers, credit them for their findings, or disclose the vulnerabilities to their users.  This is bad for Skype and bad for Skype's users.

The first bug was really blatant: Any web page could cause you to dial a phone number by using Javascript to launch a 'callto:' URL.  This was tested on Safari.  This meant disclosure of your Skype name, along with unattended computers serving as audio bugs.  Imagine how easy it would be to make a web page that attempts to launch a callto:temporary_skype_name_that_was_made_up_for_attacking_people after a predetermined period of inactivity.  You could record everything going on at someone's house.

The second bug was weird: A callto: based call could be made such that even after you attempted to cancel it, it would remain in progress but with no UI.  You'd need to quit Skype in order to make it end.  This was tested on Skype prior to version 5.0 on the Mac.  To do it, you just need to dial using the recipients number twice.  For example, to call 5551212, you would use: callto://5551212&5551212

I found out that Skype 5.0 was released because I manually checked.  I don't think that most user's do this on a regular basis.  I bet there are a lot of people out there who are vulnerable to these issues.

Nitesh Dhanjani found a bug similar to this on the iPhone.  More information on his bug is available at [link].