Microsoft doesn’t feel the bugs are important enough to fix immediately, although one researcher disagrees
Several purported security flaws in Skype have been disclosed publicly, but Microsoft claims they do not need “immediate security servicing”.
On February 2, researcher ‘mr.d0x’, also known as ‘TheCyberSecurityTutor’, publicly disclosed a “plague” of spoofing vulnerabilities in the Microsoft-owned remote chat and video app.
The researcher first began examining Skype in the second week of January and quickly found that the application’s messaging functionality does not have adequate protection against tampering.
As a result, it is possible to spoof links, file names, file sizes, and shared contacts on thick clients, web sessions, and on mobile.
According to the researcher, tampering is possible by sending content you want to spoof, intercepting subsequent requests, and forwarding with modified code – such as by modifying href and key attributes, as well as by intercepting spoofed content and changing values such as OriginalName, FileSize, and file extensions.
When it comes to spoofing shared contacts, this can be achieved by sharing a contact, intercepting the request, and modifying either the display name or username which will, in turn, be reflected to the recipient.
The researcher also accidentally uncovered a means to crash a conversation on thick and web clients. If “too many” tags are added to the content value, this will render a chat session unresponsive and “fully inaccessible” for both an attacker and victim.
Another interesting spoof is the opportunity to spear-phish using Skype’s domain name.
Mr.d0x explained that once a file has been shared between chat participants, it is uploaded to Skype servers and access is maintained – but if a target has an active Microsoft Outlook session, an attacker could email the link to the file, intercept it, and once again tamper with the request.
“Skype’s domain is trusted and so you won’t have to worry about your link being flagged by email providers,” the researcher noted.
In addition, mr.d0x discovered a way to spoof a domain and break out of the Skype chat bubble.
The findings were submitted on January 13 to Microsoft’s spoofing and tampering report categories, but the Redmond-based tech giant rejected the reports.
The spear-phishing bug was submitted separately under tampering two days later, and this was also rejected.
“Microsoft’s point of view is that because these vulnerabilities revolve around tricking a user into doing something they’re not as critical,” mr.d0x told The Daily Swig.
“All of these low-level spoofing techniques rely on the victim clicking on a link from the attacker and bypassing any security warnings shown in the application,” a Microsoft spokesperson told The Daily Swig.
Offering additional context as to why these issues were not deemed security vulnerabilities, the company said that users are presented with several warnings when these techniques are run.
For example, hovering over a spoofed link will show the true link, while users are also shown a warning to only download files from people they trust.
While potentially of low impact, the bugs are still active. According to the researcher, Microsoft did not consider the vulnerabilities “to be serious enough for immediate remediation, but [they] will be fixed in future versions”.
Mr.d0x, however, does not agree with Microsoft’s assessment, telling us that as a user of Microsoft products, he should “not have to double check whether the content I’m being sent is spoofed or not”.
“Microsoft is relying on other factors such as your browser (when you download a file) or a user's vigilance to defend against these vulnerabilities when in reality the first security check should be coming from the product itself,” mr.d0x commented.
The Microsoft spokesperson added: “We encourage customers to practice good computing habits online, including exercising caution when clicking on links to web pages, opening unknown files, or accepting file transfers.”