Skype Hole Exposes Android Users’ Data

Friday, January 4, 2019 @ 04:01 PM gHale

A new vulnerability on Skype that affected millions of Android devices around the world has been fixed, a researcher said.

The vulnerability allows an unauthenticated attacker to view photos and contacts, and open links in the browser.

RELATED STORIES
Google Play Spyware Thwarted
Google Patches Android Vulnerabilities
New Malware Attacks Android Devices
New API Hikes Android Security
Issues Found in Popular Android Apps

Researcher Florian Kunushevci, 19, from Kosovo, said the vulnerability requires the attacker to have physical access to the target device.

They would also need to receive a Skype call and answer it, which would then allow them to access user data even if the device is locked.

Normally, with the device locked, a user should not have access to data such as photos and contacts without authenticating with a password, a PIN, a lock-screen pattern, or a fingerprint.

Kunushevci said in a post and video a code error in Skype for Android led to the application not following the rule, thus providing an attacker with the possibility to access photos, view contacts, and even send messages without having to authenticate first.

In addition, it was also possible to launch the browser on the device, straight from Skype. For that, the attacker would only need to type a link in a new message, send the message, and then click the link.

The security researcher discovered the vulnerability in October and reported it to Microsoft immediately.

A new version of Skype released December 23.



Leave a Reply

You must be logged in to post a comment.