I’ve always praised the security of Skype‘s phone calls, and it’s even reached international news that authorities cannot break Skype’s encryption. This is still the case to my knowledge. But IP telephony is extravagant and only for the bandwidth-rich. It’s also discouraged in open offices like my own where people are trying to concentrate which leaves us (the poor and the silent) with Skype’s text-messaging. With the IRC-format turned on and smileys turned off, it’s no more bother than any other instant messenger software I’ve used. Today, however, I discovered a bug by accident that yields a grimmer picture.
I was doing some maintenance work and updates on a private XP Pro SP2 box that belonged to client "Missy". Just like myself, Missy uses Skype for quick communications. While her home computer was standing on the other table, and I was working on my own work laptop, Missy sent me an instant message over Skype from her work laptop (a third machine in another office) to let me know she was leaving the building for a while. We exchanged some greetings and that was it. Just the usual.
But when I went to check up on how her home machine was doing, I saw that a Skype window had popped up, and LO AND BEHOLD! All of our little exchange was right there for anyone to read and log. Apparently her machine was setup to start Skype when Windows starts and log right in. And by default her installation was logging all IM conversations.
"No way!" I thought. "I must have done something here. This can’t be right!"
So a little later (after having done my proper job) I got a completely other user to chat with me while I started a 3rd computer, logged in as myself and was able to write from either without her noticing, and receiving a full log on both my computers. See the illustration:
Skype Versions in test (all on Windows XP Pro SP2)
Client #1: 2.5.0.151
Client #2: 3.6.0.244
Listener: 3.5.0.259 (logged in as client 1)
Now, this does not compromise Skype encryption because copying a person’s skype folder from his local computer will not magically give you his password. But in terms of security design I think it’s absolutely outrageous. Most users (including yours truly) have their main computer setup to auto-run and login to their Instant Messenger when Windows starts up. This means that anyone who gets a hold of my mother’s computer will probably have access to my MSN account and could pose as me.
Fair enough. You can also steal my phone and do the same.
But stealing my phone will not give you instant access to my instant messaging after the fact on that card. It won’t let you see what I’m saying and to whom, and allow you to silently log the activity on a third computer. I have never heard about anything like this happening in other IM applications, and I was surprised I was able to reproduce it.
I know you can make an über-secure password and disable auto-login, but that’s besides the point. The crucial piece of information here, is that the 3rd computer sees every conversation client #1 is having, enabling him or her to make a local archive of your communication. Skype even rings a little bell to tell the rogue listener there’s a new chat in progress. This is not the case with any other IM I’ve used. (Apart from the bell.)
Edit: Scenarios
I thought that maybe I should exemplify how this design could be exploited.
Scenario I
1. The user has auto-login enabled on the office computer
2. User leaves the office with his/her laptop (goes to café/meeting/vacation)
3. Rogue (boss) enters office and monitors any text-chat the user has on the laptop
Scenario II
1. The user has auto-login enabled on laptop
2. The laptop is stolen by rogue
3. User does not change password
4. Rogue monitors any text-chat made by user after the fact
Scenario III
1. User’s password is compromised
2. User does not change password
3. Rogue monitors any text-chat made by user
The "Solution" is simple
a. Disable Skype’s auto-login on any computer you use Skype on
b. Change your password frequently
None of these scenarios would enable rogue to monitor communication in other IMs.
Keep your passwords safe, use another IM for your text-chat and spread the word!
Edit 11.02.08: Skype just says «It’s a feature»
I got in touch with several people working in Skype (bloggers, press people and security experts) and while two of them referred me to someone else, I got this e-mail from Skype support:
Hello Sigg3,
Thank you for contacting Skype Support.
Skype is desgined this way. It is not a security hole in our system or a bug. It is one of Skype’s features.
As long as you ensure that you always log out of public computers no security risk is posed.
Best regards,
[DELETED]
—
Skype Support
That’s just great. When it’s a feature there’s nothing to be fixed, right? Just swell.
Well, I beg to differ. The security risk posed here is the quote unquote feature.
You’d report it to Skype…
You can also help by digging this story:
http://digg.com/security/Security_design_flaw_in_Skype_s_text_chat
Dugg.
Tested again in 2011 with version 4.20 and 5, but only on the same network. I must check whether having the same account open on different IPs matter.
The only difference between now and then is that the notification on the “listener machine” is more subtle, and you must click it to open the conversation window. This could probably be visually scripted using something like AutoIt.
Skype still logs every conversation, and you can output the log (found in C:Documents and SettingsUsernameApplication DataSkypePM as .ezlog files) by starting Skype, opening a conversation window and type /htmlhistory according to this post.