Microsoft quietly patched the Mac OS X client for Skype in October, closing a backdoor that could have existed for as long as a decade and would have allowed attackers to control many aspects of the software, security-services firm Trustwave said on Dec. 14.
The backdoor, which bypasses a permissions check by the Skype client whenever a dashboard widget requests access, could allow an attacker that already had local access on a system to control the Skype client.
Someone using the dashboard widget application programming interface (API) could, for example, get notifications of incoming messages; read, modify and create messages; retrieve information on any contact; and record the audio—but not the video—of any Skype call to disk.
“You can do pretty much everything that Skype can do,” the researcher who discovered the issue told eWEEK. The researcher requested anonymity because of concerns that publicity could hinder future research. “You can rip off the contact lists. You can start new conversations. You can make calls.”
The researcher found the backdoor during a penetration test and audit of the software. Any Skype Dashboard widget for Mac OS X that identified itself as “Skype Dashbd Wdgt Plugin” would have access through the program’s application programming interface (API) without any notification or permission of the user, according to an advisory published by Trustwave.
Normally the Skype program will notify the user each time a new dashboard widget attempts to connect to Skype through its API.
“In the case of the backdoor, no such notification attempt is made and as such the user is not given the opportunity to deny access,” Trustwave said in its statement on the issue.
Trustwave does not believe that the backdoor was put in for nefarious purposes, but was more likely the result of quick-and-dirty development practices.
“An interesting possibility is that this bug is the result of a backdoor entered into the Desktop API to permit a particular program written by the vendor to access the Desktop API without user interaction,” the company said in a statement. “Indeed, this possibility seems even more likely when you consider that the Desktop API provides for an undocumented client name identifier.”
Ironically, the actual Skype Dashboard widget does not use the backdoor, despite using the name that would give it access without notification.
“This raises the possibility that the backdoor is the result of a development accident which left the code behind accidentally during the process of implementing the Dashboard plugin,” the company said.
While the security issue allowed an attacker to gain access to Skype’s functionality without notifying the user, the severity of the vulnerability is limited by the fact that the attackers must be able to get a dashboard widget or program onto the victim’s computer.
Trustwave did not know how long the backdoor had been present in the software, but the Skype Dashboard plugin for Mac OS X was released in September 2005 as version 1.0.2. The company confirmed that the backdoor string was present in the program for at least five years.
“I couldn’t get a copy of Skype for OS-X dating back that far with which to verify, but it is certainly a logical assumption and a strong possibility that it does indeed date back that far,” the researcher said.
The issue was patched in October 2016 with the release of Skype for Mac version 7.37(178).
“We don’t build backdoors into our products, but we do continuously improve the product experience as well as product security, and encourage customers to always upgrade to the latest version,” Microsoft said in a statement sent to eWEEK.