Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

On Skype URL eavesdropping

From: Kirils Solovjovs <kirils.solovjovs () kirils com>
Date: Fri, 17 May 2013 00:41:09 +0300
You may have read about this in another list.
http://lists.randombit.net/pipermail/cryptography/2013-May/004224.html
http://financialcryptography.com/mt/archives/001430.html
I'd like to give out some observations and point out some not so obvious risks (as if Microsoft Skypyingâ„¢ on your conversations is not enough). 

Requests always come from the same IP 65.52.100.214.
They have referrer and user agent set to a dash "-".
They are always HEAD requests which immediately follow 302 redirects.
They access both http and https links despite some speculations saying that they do it one way or the other. This is a relatively new phenomena that by my accounts is happening since the end of April 2013.
Sidenote: A couple of years ago before acquisition by Microsoft, Skype expressed unhealthy level of interest in my work, so I decided to run a privacy test trying to catch them red handed. I set up some traplinks, but to this day noone has triggered them. Maybe it had to do with me using a Linux version of their client at that time...
Back to the point. Now that it's clear that [at least] links from users' private chats somehow magically end up at Redmond, it's obviously a privacy issue of having some usernames/password/sessions/whatever embedded in the URL.
But this also allows the sysad/webmaster to see when a link is shared on Skype. And with a little magic logic, to see the IP address(es) of people receiving that link. To give you an example, I was able to learn that just around midnight of May 7 the paper http://kirils.org/skype/stuff/pdf/2011/ms_thesis_analysis.pdf was shared between a student of Chalmers University and a student of Comenius University via Skype (oh,the irony) 

Who shared what when? Skype knows.
Now how about some trolling... er, I mean security implications for Microsoft themselves.... 

RewriteCond %{REMOTE_HOST}  65\.52\.100\.214
RewriteCond %{REQUEST_METHOD} HEAD
RewriteRule .* http://123 [R=302,L]

where 123 can be either one of:
1) an offensive url, e.g. goatse
2) a redirect loop
3) a CSRF to a local device, see http://nakedsecurity.sophos.com/2013/04/11/anatomy-of-an-exploit-linksys-router-remote-password-change-hole/ 


Kirils Solovjovs

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: