Need to spy on your spouse? Your employees? That suspect who refuses to unlock his Android? It was easy-peasy up until a few weeks ago: you could have just grabbed their phone, placed a Skype call to it, answered the call, then poked around, no passcode needed.
In October, Florian Kunushevci, a 19-year-old bug hunter from Kosovo, reported the Skype for Android security flaw to Microsoft. It patched the hole for the latest version of Skype, which was issued 23 December.
He said in a post on LinkedIn that after he Skyped a target phone, the vulnerability let him view the photos, albums, names and phone numbers in a victim’s contact list, as well as allowing him to access the phone’s browser. He also discovered that he could send messages from the phone, all without unlocking it.
Here’s Kunushevci’s proof of concept video:
None of that should happen. A user/attacker/thief/snoop shouldn’t have access to data such as photos and contacts without having gone through authentication via password, PIN, lock-screen pattern, or fingerprint.
Kunushevci told The Register that he wasn’t hunting for Skype for Android bugs. He was just using the Voice-over-IP (VoIP) app when he noticed something odd about how it accessed files on his handset. That’s when he started investigating to see how it might be exploited:
One day I got a feeling while using the app that there should be a need to check a part which seems to give me other options than it should. Then I had to change the way of thinking as a regular user into something that I can use for exploitation.
This is similar to an iOS 9 flaw from a few years ago that let you do the same thing. In September 2015, Apple patched a lock screen hole that let anyone view and edit your contacts, send text messages, and rummage through your photos, all without entering a passcode.
If you had an iOS 9 or 9.0.1 device with Siri accessible from your lock screen, you were vulnerable regardless of the type or length or your passcode, and regardless of whether you had turned on TouchID.
Hey, stuff happens when you code, Kunushevci said:
For the specific bug that I have found on Skype, it is more of a bad design and also a bug in coding. I think to put it all together, humans make mistakes.
Kunushevci said the Skype for Android vulnerability probably affects all Android devices using an unpatched Skype version. To protect themselves from the bug, users should update their Skype for Android app if they haven’t already.
The researcher wasn’t awarded a bug bounty, he said, but he should be getting a mention in Microsoft’s bug-hunter hall of fame, whenever that’s updated.