DBSA:2013-0002
DBSA ID: 2013-0002
Regarding: Skype Chat Security
Writeup: Kradorex Xeron (talk) 01:23, 21 May 2013 (EDT)
Date: 2013 05 21
Last Modified: 20130521002447 by Kradorex Xeron
Who should take note: All Skype users
Classification
Priority: URGENT
Rationale: Users must be able to take action to ensure their data is secure.
Severity: MEDIUM
Rationale: The skype protocol has been displayed to have a weakness whereas a third party may compromise data mid-communication.
Spread of Issue: CROSS-PLATFORM HIGH
Rationale: Millions of users use Skype across multiple platforms.
Description
Skype is a voice, video and text chat suite targeted toward users across the world, it is designed with simplicity in mind. The vendor (Microsoft) has been shown to be capable of intercepting the chat communication mid-transit between users.
Technical Details
The Skype protocol's security is able to be compromised by the vendor by means of decrypting chat messages at the Skype servers operated by the vendor. This has been discovered since the vendor probes websites linked in said chat messages.
Digibase has directly observed that vendor has been probing websites that are posted as links in Skype chats. These are performed as HEAD requests transmitted (as per RFC 2616) against the webserver for an unknown reason. the request is typically transmitted from the IP address 65.52.100.214.
An example of such a request is as follows as per Apache HTTPD logs:
<domain> 65.52.100.214 - - [20/May/2013:02:57:49 -0400] "HEAD / HTTP/1.1" 200 - "-" "-"
Mitigation/Solution
It is strongly advised that Skype users exchanging sensitive and/or confidential information utilize other means such as IRC over SSL or PGP encrypted email. If voice chat is required, it is advised that a solution like Teamspeak be set up and utilized.
