Keeping Skype safe

Last Friday (2006-05-19) we issued a Skype Security Bulletin that describes a bugfix in the way that certain Skype weblinks are handled. I wanted to give a bit of explanation about what this means and how to upgrade to the newest version.

Skype lets people use web links to get Skype to do things for them, such as to start a chat, make a call or initiate a conference call. We have information about these links on our Share site. One of the features we have is to allow the sending of files from one user to another, using the “sendfile” directive.

How do you use sendfile?

Users can use a web page to send a file from one user to another with a web link such as skype:user1?sendfile, which sends a file to “user1”. But what you do not see here is the name of the file to send. When we designed the sendfile directive, we believed that the sender should be required to select the file to be sent, in order to prevent any abuse.

In the example above, if a Skype user clicked on the link, a file transfer dialogue box would appear, titled “Send file to user1”, and asking the user to select the file to send. The user can send a file only to someone he has “authorized” (exchanged contact details with) and can stop the transfer by clicking “Cancel”.

What is the bug?

It turns out that the arguments to the skype: link can be built incorrectly so that the file can be specified in the link, not selected using the file selection dialogue box. You can only make the incorrect construction work under specific conditions, but it can happen. That isn’t the behavior we specified in our design, so we fixed the bug immediately, published a vulnerability notice and sent a recommendation notice to Skype users that they upgrade their software in order to close the vulnerability.

The bug is not trivial to exploit, however. Skype allows files to be sent only to people who have “authorized” the sender, which complicates an attack somewhat. In addition, if a malicious user initiates a file transfer, the user can cancel the tranfer in the usual way by clicking “Cancel”. Clearly, of course, the best way to handle this is to upgrade your Skype for Windows client to the most recent edition (either 2.0 or 2.5), which is fixed.

What are we doing to prevent a repeat problem?

The architect of the Skype weblinks and the responsible development team have independently audited the implementation of the Skype URLs to ensure that there are no repeats of the argument handling problem that occurred in this case. (And the bug discovered in this case has no relationship to any previous bugs in Skype.)

I want to take a moment to say “thanks” to Brett Moore of Security-Assessment.com Ltd, who referred this issue to us for resolution. Brett clearly explained their discovery and made himself available to discuss the problem at length.

Comments

Alot of Telecommunications companies are blocking unregulated voice over IP telephony. I know at least 12 carriers in the middle east alone than ban all skype traffic in particular. I used to enjoy the freedom skype provides me becuase i don't have to put up with ridiculuous long distance prices. Is data encryption a feature to be implemented in future skype releases. security issuse is also a benifit.

Have you seen somebody has been in Finnish sites and made somethin bad? The second sentence in FINNISH LABEL has moved!

Kurt,

We have proprietary technology that binds the authentication procedures to content enabling the content to self-authenticate against those attempting access. One can add the devices, and of course, the people to the permission structure as well.

Data stays in the context delivered, malware/Trojans can't get in, the data cannot be manipulated after a secure session has been established, or after the fact - we are not dependent on a centralize, third-party authority for authenticication.

I think our approach may be of interest, how best do I connect if you are?

David

Skype *ISN'T* secure.

The company is refusing to implement true SSL.

That means only one thing. The company isn't wants access to our user content.

It is criminal to be posting a "security blog" and trying to market to people that "Skype is secure" when it really isn't - the liability scenarios for Skype the company are substantial, as all these web pages and other things that are being posted here are trying to make people think Skype is secure ... and that is something that isn't true.

I hope Skype will change their view on this and provide true SSL, which is extremely easy to implement.

All this other work they are doing to make an alternative PKI infrastructure rather than just downloading true SSL (like HTTPS) and using OPENSSL is kind of disturbing to be honest.

I hope the company changes it's view ... they haven't moved an inch in 6 months, so we are dumping it.

They've done a great job and deserve kudos for all things except for security.

"Marketing" and "Propaganda" to make people think a product is secure ... doesn't make the product secure.

The Internet desperately needs a truly secure person-to-person communications mechanism, that isn't Skype. Whether the intentions are good, or bad, Skype 's developers are definitely and intentionally preserving the right to eavesdrop on user content.

They have only put "user content is not archived" in their agreement.

They did not put "no user content is read by any party other than the parties participating in the communications."

That says all there is that needs to be said about "Skype Security".

I really like everything else about the technology however, we are still dropping it after 6 months of playing with it. True security is a mandatory requirement.

In fact ... here is source code Skype can incorporate into their product very easily to make it secure:

http://www.rtfm.com/openssl-examples/

They can then provide a standard certificate with the product, or generate a new one for the user upon installation and store it in a folder, all transparent and easy, no user issues.

Anyone concerned about security, like I am, can then use their own certificate for validation and identity assurance.

The larger question here is ... why isn't Skype implementing true SSL?

If they just use the industry standard, they could then transfer some of the developers overt to working on more useful things than intercepting user content like making multiple-video conferences work.

It's a funny think with this SKYPE !!!

i have change my password and all was done correctly !!!BUT!!!

my skype now is permanently disconect, and my idea about is :

1. it's someone else online at the same time under my log name !

2: and if i try to speak in SKYPE it make these trouble...

so means the SKYPE is not that secure, like they tells. or it's my wrong ?

One of the most basic issues of security with Skype is encryption of the voice and video streams.

Much todo is made over the security of the authentication and web content, chat content and other P2P content.

Normally VOIP is not truly encrypted and can be "tapped" by anyone having access to the packets.. Anyone who can implement a sniffer can capture the voice packets and replay them once the voice compression and digitizing method is known.

Skype has never declared that the voice stream is encrypted. I have not spent any time testing this but my guess is that it is not an encrypted stream.

Am I correct?

'was getting some worm detection message from norton anti-virus...., it showed the attack was on IIS HTTP port 80, i knew i was not running any webserver, i checked if IIS was installed, it was not, but when i did telnet..... telnet 127.0.0.1 80 ........ voila........ it shows there is some process listening........
then i checked with........ netstat -a -b ............
there it was ......Skype.exe

Skype opens up port 80 {HTTP},and also the https port too i guess, so runs a process listening on that port, just figured it out....
maybe the 111th one to do so........, But it is really weird, ur webserver port is being used up.......
Is it not a convention to use ports with number higher than 1024 (IANA) http://www.iana.org/cgi-bin/usr-port-number.pl

There is one issue with Skype security that I haven't seen any comment on... Namely if you know someone's password (and I imagine this is a relatively easy task with a dictionary attack) you are then able to listen-in on their chat conversations (I haven't tried this with Voice yet). This came to light recently as I was travelling and had left Skype up and running (and logged in) on my desktop PC. During the travel I used chat and when coming home, to my surprise all this chat was visible on my desktop PC. The obvious fix for this would be to ensure that an account can only be logged in at one place (as all the other IM clients have implemented)... I know from experience that this is a problem because my partner's account has been compromised (others using it to log on with) as it was logged in with while my partner was not around...
This seems like a huge security hole.... No such thing as a guaranteed private chat with Skype.....

Beware of the latest Skype Phishing Scam. please read the full account in my blog. i think they are terrorists because i traced the scammers' homepage and it is written in Arabic.

This is the location of my blog:
http://www.thefinestwriter.com/beware_skype_wannabee_scam.htm

using RSS
via Bloglines
using Newsgator
with MyYahoo
with Google
with MyAOL
with netvibes

Comments

Comment on this post

Recent posts

Archives