DBSA:2013-0003
DBSA ID: 2013-0003
Regarding: Microsoft Probing Sites Linked in Skype Chats
Related to: DBSA:2013-0002
Writeup: Kradorex Xeron (talk) 16:52, 21 May 2013 (EDT)
Date: 2013 05 21
Last Modified: 20130521170611 by Kradorex Xeron
Who should take note: Web Server Operators, Web Hosts, System Administrators, Webmasters
Classification
Priority: MEDIUM
Rationale: Operators should be at minimum aware that Microsoft may probe potentially confidential sections of sites.
Severity: LOW
Rationale: There has been no observed impact to operations of webservers.
Spread of Issue: CROSS-PLATFORM HIGH
Rationale: Millions of users use Skype across multiple platforms and any and all webservers accessable on the routable Internet are potential recipients of probing.
Description
Microsoft, the vendor of Skype has been observed probing websites linked in Skype chats. Such probings may be against potentially confidential or otherwise normally "off-limits" sections of websites. Microsoft does not provide an "opt out" mechanism to disable these probings and robots.txt bot control is not respected by Microsoft in these automated probings.
Technical Details
Digibase has directly observed that vendor of Skype has been probing websites that are posted as links in Skype chats. These are performed as HEAD requests transmitted (as per RFC 2616) against the webserver for an unknown reason. the request is typically transmitted from the IP address 65.52.100.214.
An example of such a request is as follows as per Apache HTTPD logs:
<domain> 65.52.100.214 - - [20/May/2013:02:57:49 -0400] "HEAD / HTTP/1.1" 200 - "-" "-"
No notable robots.txt requests have been attempted and the useragent section does not contain any relevant information as to why the HEAD request is being performed or what tool or bot is performing it.
Which the address has the whois:
NetRange: 65.52.0.0 - 65.55.255.255 CIDR: 65.52.0.0/14 OriginAS: NetName: MICROSOFT-1BLK NetHandle: NET-65-52-0-0-1 Parent: NET-65-0-0-0-0 NetType: Direct Assignment RegDate: 2001-02-14 Updated: 2012-03-20 Ref: http://whois.arin.net/rest/net/NET-65-52-0-0-1 OrgName: Microsoft Corp OrgId: MSFT Address: One Microsoft Way City: Redmond StateProv: WA PostalCode: 98052 Country: US RegDate: 1998-07-10 Updated: 2011-04-26 Ref: http://whois.arin.net/rest/org/MSFT OrgAbuseHandle: MSNAB-ARIN OrgAbuseName: MSN ABUSE OrgAbusePhone: +1-425-882-8080 OrgAbuseEmail: abuse@msn.com OrgAbuseRef: http://whois.arin.net/rest/poc/MSNAB-ARIN OrgNOCHandle: ZM23-ARIN OrgNOCName: Microsoft Corporation OrgNOCPhone: +1-425-882-8080 OrgNOCEmail: noc@microsoft.com OrgNOCRef: http://whois.arin.net/rest/poc/ZM23-ARIN OrgTechHandle: MSFTP-ARIN OrgTechName: MSFT-POC OrgTechPhone: +1-425-882-8080 OrgTechEmail: iprrms@microsoft.com OrgTechRef: http://whois.arin.net/rest/poc/MSFTP-ARIN OrgAbuseHandle: HOTMA-ARIN OrgAbuseName: Hotmail Abuse OrgAbusePhone: +1-425-882-8080 OrgAbuseEmail: abuse@hotmail.com OrgAbuseRef: http://whois.arin.net/rest/poc/HOTMA-ARIN OrgAbuseHandle: ABUSE231-ARIN OrgAbuseName: Abuse OrgAbusePhone: +1-425-882-8080 OrgAbuseEmail: abuse@msn.com OrgAbuseRef: http://whois.arin.net/rest/poc/ABUSE231-ARIN RTechHandle: ZM23-ARIN RTechName: Microsoft Corporation RTechPhone: +1-425-882-8080 RTechEmail: noc@microsoft.com RTechRef: http://whois.arin.net/rest/poc/ZM23-ARIN
Mitigation/Solution
Operators may wish to set up firewall rules, .htaccess or other Access Control List (ACL) provisions or filter traffic originating from the IP address noted and/or advise their clients and users to not link confidential information in Skype chats.