Risk: Unencrypted Data in Skype

Tuesday, June 10, 2014 @ 12:06 PM gHale


Skype keeps personally identifiable information, alongside chat transcripts in an unencrypted file on the local system, a new report said.

Anyone that has the knowledge and skill to hack a Skype user can easily get access to personal information without actually having to hack into Microsoft’s servers, said researchers in the Solutionary May Threat Report.

RELATED STORIES
How Attackers Bypass Security: Report
Ineffective Password Security Practices
Insider Threat Real; Protection Weak
Aware of Info Loss, Data Still Not Secured

The file that concerns Solutionary was the main.db, a clear indicator as to what the document holds. It can be found on:
• C:\Users\Username\AppData\Roaming\Skype\SkypeName on Windows
• /Users/user/Library/Application Support/Skype/SkypeName on Mac
• /home/user/.Skype/SkypeName on Linux

On Windows and Linux, the locations end up hidden by default, but that doesn’t mean anything to someone who knows their way around a computer.

As the IT security company points out, no one, especially not a company the size of Microsoft, should trust its users’ security in the hands of a system obscurity feature.

When someone finds the file, he or she can open it with SQLite since it does not have encryption. Inside, there’s a long list of tables such as Accounts, Alerts, Calls, ChatMmebers, Contact, DBMeta, Messages, Participants, SMSes, VideoMEssages, Videos and Voicemails.

Within the tables it is easy to infer the information stored with some of the key items being:
• Full Name
• Birthdate
• Country
• City
• Phone Numbers
• Email Addresses
• Complete Chat Transcripts

Basically, it’s the main database file for Skype functions, which makes it pretty easy to infer what kind of information ends up stored in most of the tables. Bad guys can gain access to the users’ full name, birth date, country, city, email address, phone numbers and even the complete chat transcript.

“The details above are stored both about the direct user and any contacts that they may have in Skype,” researchers said in the report. “All of this could represent valuable information to an attacker. Additionally, the plain text and simple location make it an easy task for anyone, even without administrator access, to extract the database’s information. Of course, this does indicate a larger issue, such as that the file system is compromised in another fashion.”



Leave a Reply

You must be logged in to post a comment.