Skype-Eavesdropping

Everyone, who uses Skype is obliged to agree with the fact that the company has the right to read all the private correspondence, sent with that application. That is written in Privacy Policy Agreement, which you have to accept, when installing Skype. Heis company with their German colleagues commenced a simple experiment, and discovered that Microsoft uses that right actively, but in a rather odd way.

You should know, that right after you send a message via Skype, which contains a link to any HTTPS web site, that site is being visited from an IP address, that belongs to Microsoft HQ in Redmond, USA. Experiment approved that after sending a link in a message body, Skype generates an unusual traffic, that looks like a replay attack. In the same time, the IP address, that is used to gain access to the link belongs to Microsoft. That’s not the first occasion, when a big company spies on its users, just remember recent issue with Verizon.

That experiment was held in order to check that activity. So, two HTTPS links were sent in the message body, one of them contained login/password combination, used for authorization, another lead to a private file share service, based in the cloud. In a couple of hours after sending the message, a special request was recorded in the log:

65.52.100.214 - - [30/Apr/2013:19:28:32 +0200] "HEAD /.../login.html?user=tbtest&password=geheim HTTP/1.1"

Due to the Uptrace, that IP address belongs to Microsoft. We at Jammer-Store checked that too, and found out that Microsoft really visits all the links you send via Skype.

Https-Protocol

So, experiment approved that Microsoft visits all the HTTPS links, that were sent via Skype, such links often lead to an encrypted pages, that may content session ID or other private data. Also, we should mention, that not encrypted, simple HTTP links were not followed. All the data gathered during that experiment was sent to Skype support, but answer, was a link to Skype Privacy Policy Agreement.

Skype may use algorithms to automatically check SMS and quick messages, in order to detect and block spam, links to a phishing sites and other fraud attempts. In some cases, Skype may manually check SMS or quick messages, in order to detect and block spam.

Microsoft company representative also confirmed that the company scans messages to block spam and fraud attempts, but such a statement doesn’t explain the facts, discovered, during the research. As you probably know, spam and phishing sites rarely use HTTPS protocol, but only those links were scanned by Microsoft, and ordinary HTTP links, that do not contain private information were ignored.

Microsoft-Skype

But to determine spam or phishing Skype has to analyze the content of the page, so HEAD requests they are using can’t possibly do so. As far as we can see, Skype, the only alternative to recently compromised VoIP services, was compromised too. And no one will be able to guarantee the safety of your private data there.

Well, anyway, such a “security” measures, Microsoft is adopting may compromise private data. It is more dangerous, than any fraudsters. We suppose that Microsoft has at least to make that feature visible to Skype users and make them able to turn it off, otherwise Skype may suffer users loss. While it is unknown, what else “security” features Skype has, we recommend you to avoid using it for a while, or use mobile Internet blocker, if you’ve installed Skype app on your smartphone. Probably that will be wise, at least until Microsoft won’t do something about it.

  • Share/Bookmark