A soon-to-be-deprecated API included with Skype for Mac contains a vulnerability that allows an attacker to bypass authentication procedures and query for user data or interact with a local Skype installation.
According to researchers from Trustwave, the bug affects the Desktop API, previously known as the Skype Public API. The role of this API is to enable third-party applications to communicate with Skype.
Normally, these apps are required to provide access credentials in order to interact with a local Skype installation.
Vulnerability gives access to nearly everything that Skype can offer
Researchers discovered a hidden mechanism that bypassed the authentication procedure and allowed a third-party app, or malware, to interact with Skype without proper credentials or requesting the user’s permission.
Based on the Desktop API’s features, an attacker or malware abusing this backdoor could:
- Read notifications of incoming messages (and their contents)
- Modify messages
- Create chat sessions
- Log and record Skype call audio
- Retrieve user contacts
Furthermore, apps connecting through this secret mechanism wouldn’t show up in Skype’s “Manage API Clients” dashboard, where users go to see what third-party apps are connected to their Skype account, and revoke permissions.
Is it a backdoor?
Trustwave has put forward two plausible explanations for this bug’s presence.
“An interesting possibility is that this bug is the result of a backdoor entered into the Desktop API to permit a particular program written by the vendor to access the Desktop API without user interaction,” researchers wrote.
“Indeed, this possibility seems even more likely when you consider that the Desktop API provides for an undocumented client name identifier (namely ‘Skype Dashbd Wdgt Plugin’),” Trustwave added.
Or is it a coding accident?
But the backdoor theory isn’t as clear cut as researchers make it look like. This ‘Skype Dashbd Wdgt Plugin’ appears to be an older name for the actual Skype for Mac Dashboard widget, currently still available with recent Skype installations.
“This raises the possibility that the backdoor is the result of a development accident which left the code behind accidentally during the process of implementing the Dashboard plugin,” researchers explained.
A developer might have started to implement the Dashboard widget, encountered a problem and restarted from scratch, without deleting the old authentication bypass mechanism, which was left in Skype’s API for years.
Researchers say they were able to track this so-called “backdoor” as back as five years. Even if this may not be an intentional backdoor introduced by Skype’s developers, the vulnerability is a de-factor backdoor, and can allow attackers access to Skype user data.
All Skype for Mac versions up to and including Skype 7.35 are affected. Mac users should update their Skype installation as soon as possible.