Microsoft recently fixed a vulnerability in its video chat and messaging app Skype that could have allowed an attacker to execute code on the system it was running on, phish Skype credentials and crash the application.
Zacharis Alexandros, an independent researcher who’s also with the European Union Agency for Network and Information Security a/k/a ENISA discovered the vulnerability in January. He publicly disclosed the issue, an attack he calls “SPYKE,” on Friday, via his personal LinkedIn page.
The vulnerability, Alexandros says, was mostly an issue for Windows versions of Skype installed on public machines, such as libraries, airports, or on smart televisions. An attacker would need local access to the login screen of the app in order to exploit it, he said.
Alexandros said the vulnerability circumvents an authentication process through the embedded Internet Explorer browser behind Skype. He doesn’t get into particulars of the bug, but claims that by abusing the app’s login via Facebook functionality, an attacker could create a phony-looking Skype login screen. The screen can be “parsed inside the SKYPE process” or an attacker can use SKYPE “as a hidden browser to communicate with the outside world in order to exfiltrate key strikes.”
Once in, an attacker can do the following, the researcher said:
- Fingerprint the Internal Browser (IE)
- Execute code in the context of the SKYPE process
- Phish credentials
- Cover communication traces
“More advanced attacks can use valid exploits of Internet Explorer running inside SKYPE, in order to crash SKYPE and cause code execution of malicious code on the underlying operating system in an attempt to perform local privilege escalation attacks,” Alexandros wrote Friday.
The researcher uploaded a proof of concept video in which he fetches code from Facebook’s Developer site–from inside Skype–to crash the messaging app. He claims that instead of crashing the process, an attacker could craft a phishing page inside of the app to trick users and reroute stolen credentials to their own server if they wanted to.
Alexandros said Microsoft fixed the issue roughly a month ago, on March 24, when it released version 18.104.22.168 of the messaging app. The researcher says the company was helpful with his disclosure but that he’s unsure when or if Microsoft will publicly acknowledge the vulnerability.
When reached Friday a spokesperson from Skype confirmed that users received a patch for the vulnerability last month.
“We addressed this with an update in March. Customers will have automatically received the update when they logged in to Skype. If they haven’t logged in recently, we encourage them to upgrade when they next use Skype,” the spokesperson said.