Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 16 submissions in the queue.

A Backdoor in Skype for Mac OS X

posted by Fnord666 on Monday December 19 2016, @08:16AM   Printer-friendly
from the can-you-hear-me-now? dept.

Arthur T Knackerbracket has found the following story:

Trustwave recently reported a locally exploitable issue in the Skype Desktop API Mac OS-X which provides an API to local programs/plugins executing on the local machine. The API is formally known as the Desktop API (previously known as the Skype Public API – Application Programming Interface) and it enables third-party applications to communicate with Skype. As described in the Trustwave advisory, the issue is an authentication by-pass discovered in the API whereby a local program could by-pass authentication if they identified themselves as the program responsible for interfacing with the Desktop API on behalf of the Skype Dashboard widget program.

An interesting possibility is that this bug is the result of a backdoor entered into the Desktop API to permit a particular program written by the vendor to access the Desktop API without user interaction. Indeed, this possibility seems even more likely when you consider that the Desktop API provides for an undocumented client name identifier (namely "Skype Dashbd Wdgt Plugin").

Notifying the user of Desktop API through the backdoor works differently than the normal course of action which is to notify the user of an access attempt and prompt the user for permission. In the case of the backdoor no such notification attempt is made and as such the user is not given the opportunity to deny access. Furthermore, no mention is made in the "Manage API Clients" list. This allows any program accessing the Desktop API through the backdoor to remain hidden from the user.

Finally, no attempts are made to determine what programs that are accessing the Desktop API since they identify themselves as the undocumented client name identifier "Skype Dashbd Wdgt Plugin". This opens up the potential for abuse by third-party programs, including malware, running locally on the machine.

Curiously, the actual Skype Dashboard widget does not seem to utilize the backdoor into the Skype Desktop API despite the name "Skype Dashbd Wdgt Plugin". This raises the possibility that the backdoor is the result of a development accident which left the code behind accidentally during the process of implementing the Dashboard plugin. If it was a coding accident, it is an old one. Our investigations have shown that the string "Skype Dashbd Wdgt Plugin" has been present in versions of Skype for Mac OS-X for some 5+ years.

-- submitted from IRC

Original Submission

 
This discussion has been archived. No new comments can be posted.
A Backdoor in Skype for Mac OS X | Log In/Create an Account | Top | 11 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: -1, Offtopic) by Anonymous Coward on Monday December 19 2016, @08:42AM

    by Anonymous Coward on Monday December 19 2016, @08:42AM (#443020)

    I don't Skype because I'm fat and ugly and I have such low self esteem I never post except as AC.

    • (Score: -1, Offtopic) by Anonymous Coward on Monday December 19 2016, @08:45AM

      by Anonymous Coward on Monday December 19 2016, @08:45AM (#443023)

      Disregard I suck a jewish dick for breakfast.

    • (Score: 0) by Anonymous Coward on Monday December 19 2016, @08:49AM

      by Anonymous Coward on Monday December 19 2016, @08:49AM (#443024)

      Thank you for your seclusion.

      • (Score: -1, Flamebait) by Anonymous Coward on Monday December 19 2016, @09:02AM

        by Anonymous Coward on Monday December 19 2016, @09:02AM (#443030)

        Not secluded enough bitch. I hate you so much.

  • (Score: 0) by Anonymous Coward on Monday December 19 2016, @10:27AM

    by Anonymous Coward on Monday December 19 2016, @10:27AM (#443050)

    A Backdoor in Skype for Mac OS X

    Who cares about backdoors when the front door is left wide open...?

    • (Score: 2) by Nerdfest on Monday December 19 2016, @11:28AM

      by Nerdfest (80) on Monday December 19 2016, @11:28AM (#443067)

      Since Microsoft bought it, I thought its whole reason for being was as a back door.

  • (Score: 4, Interesting) by opinionated_science on Monday December 19 2016, @10:53AM

    by opinionated_science (4031) on Monday December 19 2016, @10:53AM (#443059)

    Here's my random thought of the day - is there a process that when you have a business growing in the IT/Cloud space, you get a visit from men in dark glasses to insert a backdoor?

    Or are companies like Skype just so large, inevitably they have a exec meeting where the bullet item is:

    "Need backdoor to implement feature X".

  • (Score: 1, Informative) by Anonymous Coward on Monday December 19 2016, @11:10AM

    by Anonymous Coward on Monday December 19 2016, @11:10AM (#443062)

    Try to run Skype on a network that hosts a TOR exit node... Skype will refuse to work. Close the exit functionality of the TOR node and Skype starts to work again after a day.

    The reason? Apparently it becomes difficult for intelligence services to track you in Skype if it also could originate from TOR.

    • (Score: 0) by Anonymous Coward on Monday December 19 2016, @01:43PM

      by Anonymous Coward on Monday December 19 2016, @01:43PM (#443114)

      How does that work if you run Skype in a VM and the Tor node outside the VM?

      • (Score: 0) by Anonymous Coward on Monday December 19 2016, @03:38PM

        by Anonymous Coward on Monday December 19 2016, @03:38PM (#443160)

        If from the outside the IP address is the same, Skype starts to block.

        In my case it were two different systems, sharing one outgoing connection (NAT).