A newly disclosed vulnerability in Skype for Android could be exploited by miscreants to bypass an Android phone's passcode screen to view photos, contacts, and even launch browser windows.
Bug-hunter Florian Kunushevci today told The Register the security flaw, which has been reported to Microsoft, allows the person in possession of someone's phone to receive a Skype call, answer it without unlocking the handset, and then view photos, look up contacts, send a message, and open the browser by tapping links in a sent message, all without ever unlocking the phone. This is handy for thieves, pranksters, prying partners, and so on. Here's a video demonstrating the bypass...
Kunushevci, a 19-year-old bug researcher from Kosovo, said he was an everyday user of the Skype for Android app when he noticed that something appeared to be amiss with the way the VoIP app accessed files on the handset. Curious, he decided to put his white hat on, and take a closer look.
"One day I got a feeling while using the app that there should be a need to check a part which seems to give me other options than it should," he explained. "Then I had to change the way of thinking as a regular user into something that I can use for exploitation."
What he eventually found was that, once a Skype call has been received and opened, the application functions as normal, allowing features like photo-sharing and contact look-ups regardless of whether the rest of the phone was unlocked.
Much like the various iOS flaws spotted over the years, the bug is really down to a security oversight. In this case, the Skype app allows users to access the photo and contact features without first checking if the person using the device was authenticated.
"For the specific bug that I have found on Skype, it is more of a bad design and also a bug in coding," Kunushevci told El Reg. "I think to put it all together, humans make mistakes."
Prior to going public, Kunushevci alerted Microsoft to the hole in October and waited for a patch to land. The vulnerability is fixed in the latest versions of Skype, issued December 23, so users can protect themselves by making sure they have the latest build of the app installed.
The vulnerability affects Skype on all versions of Android, according to the bug hunter. We note that the Skype app version differs depending on which version of Android you have installed, though essentially we're told new builds of the application installed or updated after Christmas with a version number over 126.96.36.1996 should be safe.
Though still a teenager, Kunushevci says he already has several years of experience in security research. Starting at the age of 12, he became interested in the reasons his own computer was crashing ,and began looking up the various causes of common security and stability flaws. Within a few years he was claiming bug bounties of his own.
"I started working in Bug Hunting when I was 15 years old trying to find web vulnerabilities for Microsoft, Apple, Dell, Intel, Adobe, Eset, Github and other companies, which I used to gain Hall of Fame status and T-Shirts in order to promote my self and learn new things," he said.
"After some years of development I started working on CTFs (Boot2Root) which taught me the most important thing, which is realizing that what you have learned till now is nothing of what should be learned."
A spokesperson for Microsoft was not available for immediate comment. ®