“An interesting possibility is that this bug is the result of a backdoor entered into the Desktop API to permit a particular program written by the vendor to access the Desktop API without user interaction,” researchers wrote.
“Indeed, this possibility seems even more likely when you consider that the Desktop API provides for an undocumented client name identifier (namely ‘Skype Dashbd Wdgt Plugin’),” Trustwave added.
Or is it a coding accident?
But the backdoor theory isn’t as clear cut as researchers make it look like. This ‘Skype Dashbd Wdgt Plugin’ appears to be an older name for the actual Skype for Mac Dashboard widget, currently still available with recent Skype installations.
“This raises the possibility that the backdoor is the result of a development accident which left the code behind accidentally during the process of implementing the Dashboard plugin,” researchers explained.
A developer might have started to implement the Dashboard widget, encountered a problem and restarted from scratch, without deleting the old authentication bypass mechanism, which was left in Skype’s API for years.
Researchers say they were able to track this so-called “backdoor” as back as five years. Even if this may not be an intentional backdoor introduced by Skype’s developers, the vulnerability is a de-factor backdoor, and can allow attackers access to Skype user data.
All Skype for Mac versions up to and including Skype 7.35 are affected. Mac users should update their Skype installation as soon as possible.