Skype vulnerabilities are always cropping up. The newest Skype security leak was all over the tech news this week. Apparently, its create-a-new-account procedure coupled with its password-reset procedure allowed anyone to take over another person’s Skype account just by knowing that person’s email address. The Next Web actually reproduced the hack and explains, “Essentially, that email address is used to create a new account with your own email address tied to it. Then, minus a couple of key steps, you can use a password reset token to gain access to your target’s account.”
The Skype team were on it right away and a fix was in place within the hour. What’s unfortunate is that the Skype vulnerability had been reported 2 months earlier!
Skype Security Rap Sheet: Viruses, Surveillance recording, IP address tracking
Skype has had a history of security concerns. Like any mega-popular program it’s a mule for all kinds of hacks and viruses, the most recent being a malicious worm that gets sent as a text message link “lol is this your new profile pic?” ExtraLabs Software quotes Chris Kaspersky’s 2007 article “Skype: hidden menace” to explain why Skype is an especially prone to viruses:
“Skype is a black-box with a multi-level encryption system”, said Chris, “it is stuffed with methods to prevent debugging of the executable, and it reads your private information and sends it via Internet using a closed protocol. The latter avoids firewalls and strongly masks traffic to prevent blocking attempts. All of these make Skype an ideal way to transmit viruses, worms and drones creating their own network using existing Skype’s resources.”
Source: ExtraLabs Software
It has also been accused of keeping the decryption keys to its encrypted peer-to-peer (P2P) calls. This would allow Skype to have access to your information or more relevantly, allow law enforcement agencies to access your information. Over the years there have been numerous reports of governments such as China having the ability to eavesdrop on Skype calls.
The issue came up again recently with the approval of Microsoft’s patent for its “Legal Intercept” technology which allows the secret recording of VoIP conversations, like over Skype. Furthermore, a check of Skype’s privacy policy found that Skype does store instant messages and voicemails (albeit not forever), making those concerns more real. To be fair, they are probably doing this to be CALEA compliant. (CALEA requires telecommunications operators to provide a backdoor way for law enforcement to gather information.)
Another issue was the supernode problem where anyone with a little extra bandwidth could end up being a relay for other people’s Skype calls. In effect, it mooches off other people’s bandwidth that they probably paid to have which slows down their network. I should add that this issue should have gone away this year since Microsoft has moved Skype supernodes into the cloud.
Last year, an NYU and French Inria Institute team reported a Skype vulnerability that allowed them to track people’s physical locations by getting people’s IP addresses through Skype calls without their knowing. This was another known flaw that Skype supposedly ignored.
Most recently, documents released by government whistle blower Edward Snowden show that Skype and later Microsoft have been in collusion with the government to create a way to secretly collect data on users’ Skype activities, including Skype video chat. Microsoft continues to deny any knowledge of these allegations.
At VSee, we love what Skype has done to bring video conference into our everyday lives, but we’re not too excited about its security history. If Skype security bothers you, check out some other reasons VSee might be a better choice for you.
Follow us on Twitter (@VSee) and Like us on Facebook to hear about the latest from VSee!
What do you reckon will happen when they discontinue Live Messenger?
Will they turn Skype into the new WLM (as in, open the protocol more)? Will they block MSN clients from the servers that both Skype and WLM are using? Will they just stop updating WLM?