Full Disclosure mailing list archives
Re: On Skype URL eavesdropping
From: Jeffrey Walton <noloader () gmail com>
Date: Thu, 16 May 2013 19:17:55 -0400
On Thu, May 16, 2013 at 5:41 PM, Kirils Solovjovs <kirils.solovjovs () kirils com> wrote:
You may have read about this in another list. http://lists.randombit.net/pipermail/cryptography/2013-May/004224.html http://financialcryptography.com/mt/archives/001430.html I'd like to give out some observations and point out some not so obvious risks (as if Microsoft Skypyingâ„¢ on your conversations is not enough). Requests always come from the same IP 65.52.100.214. They have referrer and user agent set to a dash "-". They are always HEAD requests which immediately follow 302 redirects. They access both http and https links despite some speculations saying that they do it one way or the other. This is a relatively new phenomena that by my accounts is happening since the end of April 2013.
...
Back to the point. Now that it's clear that [at least] links from users' private chats somehow magically end up at Redmond, it's obviously a privacy issue of having some usernames/password/sessions/whatever embedded in the URL.
There could be legal concerns here too (if a prosecutor takes interest if folks besides the Swartz's of the world). I can't wait to see the first CFAA violation brought against interception services like these. Consider: the owner of the remote server surely did not authorize the interception service to access the site with a user's username and password. That's a clear violation of exceeding one's authority under the CFAA since the interception service had no authority from the server's owners. Jeff _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- On Skype URL eavesdropping Kirils Solovjovs (May 16)
- Re: On Skype URL eavesdropping Jeffrey Walton (May 16)
- Re: On Skype URL eavesdropping Bruce Ediger (May 16)
- Re: On Skype URL eavesdropping Alex (May 17)