Microsoft addresses issue at eleventh hour, as researcher publicly discloses ‘trivial’ privacy bug in browser plugin
Microsoft has fixed a privacy bug in its Skype extension for Chrome that left millions of users at risk of having their account information leaked.
After turning his attention to the Skype-for-Chrome extension, which has nine million installs, security researcher Wladimir Palant discovered a “trivial” bug that allowed websites to ascertain information about user accounts that should typically be off-limits.
“The privacy flaw is simple,” Palant told The Daily Swig. “The extension leaks your Skype name to any website interested. Usernames and profile images can be freely retrieved by Skype name.”
According to the researcher, the flaw resided in the extension’s identity-tracking functionality, which could determine if a user was logged into a Microsoft account.
Palant discovered that the user identifier was executed in the extension’s content script. However, he noted that “in a content script context, sessionStorage is no longer extension’s storage, it’s the website’s. So the website can read it out trivially”.
The researcher provided further details in a technical blog post today (March 1):
Back when I reported the issues, [the extension] was listed in Chrome Web Store with more than 10 million users. At the time of writing more than nine million users still remain.
What these users apparently didn’t realize [is that] the extension was unmaintained, with the latest release being more than four years old. All of its functionality was broken, it being reduced to a bookmark for Skype for Web.
Yet despite being essentially useless, the Skype extension remained a security and privacy risk. One particularly problematic issue allowed every website to trivially learn your identity if you were logged into your Microsoft account, affecting not merely Skype users but also users of Office 365 for example.
Microsoft has left the chat
Palant said he disclosed the flaw, along with a proof of concept, to Microsoft on December 1, 2021, but failed to gain a substantive response from the company’s security team.
In response to questions from The Daily Swig back in February, a Microsoft spokesperson said: “Microsoft has a customer commitment to investigate reported security issues and we will provide updates for impacted devices as soon as possible.”
As the researcher’s public disclosure deadline of March 1 inched closer, the Skype extension finally received an update on February 24.
“After a lengthy period of communication silence, [Microsoft] finally published an update to resolve the issues,” Palant said.
“The new release shares no functionality with the old extension and is essentially a completely new product. Hopefully this one will no longer be abandoned.”