Several purported security flaws in Skype have been disclosed publicly, but Microsoft claims they do not need “immediate security servicing”.
The researcher first began examining Skype in the second week of January and quickly found that the application’s messaging functionality does not have adequate protection against tampering. Due to this it’s possible to spoof .
Tampering is possible by sending content you want to spoof, intercepting subsequent requests, and forwarding with modified code – such as by modifying href and key attributes, as well as by intercepting spoofed content and changing values such as OriginalName, FileSize, and file extensions.
When it comes to spoofing shared contacts, this can be achieved by sharing a contact, intercepting the request, and modifying either the display name or username which will, in turn, be reflected to the recipient.
Another interesting spoof is the opportunity to spear-phish using Skype’s domain name.
Once a file has been shared between chat participants, it is uploaded to Skype servers and access is maintained but if a target has an active Microsoft Outlook session, an attacker could email the link to the file, intercept it, and once again tamper with the request.
“Skype’s domain is trusted and so you won’t have to worry about your link being flagged by email providers,” the researcher noted.
All of these low-level spoofing techniques rely on the victim clicking on a link from the attacker and bypassing any security warnings shown in the application.
Offering additional context as to why these issues were not deemed security vulnerabilities, the company said that users are presented with several warnings when these techniques are run.
Microsoft is relying on other factors such as your browser or a user’s vigilance to defend against these vulnerabilities when in reality the first security check should be coming from the product itself.