Skype Security

Explaining the Cross Site Scripting Bug in Skype for Windows [RESOLVED]

2011-07-15T20:24:51Z

Updated July 20, 2011 - This issue is now resolved.

Currently, there is a Cross Site Scripting (XSS) bug present in the Skype Home area of the Skype for Windows client. Cross Site Scripting (XSS) is a problem where someone is able to put malicious content onto a web page that other people will view later. If this content is not filtered correctly when someone visits that web page and views the malicious content, it could result in them being redirected somewhere else, having pop-ups appear on their screen, or, worse yet, redirecting them to a web site that contains a virus or trojan.

Unfortunately, Skype for Windows is not correctly validating some fields of your contacts' profiles. What this means is if one of your Skype contacts has put some specific strings into their profile, it could result in your Skype Home area being redirected to another web page or a message being displayed.

In order for someone to cause these messages to be popped up or to redirect you to a web site, they would first have to be one of your accepted Skype contacts. However, this vulnerability should not be there and there is a fix which we are finalising testing of that is due to be pushed out early next week.

When the fix is deployed, it will not require you to update your Skype client, as the change will happen without you needing to perform any updates. Of course, as always, I urge everyone to be on the latest version of Skype, as we are continually updating and improving not only the security, but also the features within our products.

Skype's Take on Vishing (Voice Phishing)

2011-06-10T14:00:00Z

Skype is aware of so-called 'vishing' (or voice phishing) attacks, where a recorded call is made to a person to try and coax them to do something, like share personal information via phone or visit a Web site to download malicious software disguised as security updates. As with any form of communication today, users should be vigilant and responsible at all times and be wary of any suspicious activity. Our advice is similar to answering a call on your mobile from unknown parties that you don't recognize: either don't answer and certainly don't follow any instructions from unknown parties, much as you wouldn't click on or visit unknown URLs or download attachments that seem suspicious.

Skype offers privacy control options to keep users protected from unwanted communications. Windows users should just open Tools -> Options -> Privacy and set your preferences for receiving communications, while Mac users can find these settings under Skype -> Preferences -> Privacy. We recommend that you do not authorize calls from people you do not know.

On the rare chance someone starts bothering you or sends you suspect messages, you should add that user to your Blocked Users list by right clicking on the contact from your call or contact list and choosing "Block This Person." You will then be given the option of reporting abuse by this user. This way, suspicious communications will be better controlled and Skype's automated systems for blocking malicious users are updated to protect the greater Skype community.

Learn more about Skype Security & Privacy.

Today's Skype for Mac update

2011-05-09T21:24:36Z

Earlier today, we published another update for Skype for Mac users. This latest version (5.1.0.935) includes all of the security fixes from our April 14th release (5.1.0.922), as well as some additional product fixes. Now that this update has finished propagating to our download servers, you should be able to click "Skype -> Check for Updates" within the Skype for Mac application to automatically get this update. Shortly, we will also begin prompting users with a message to update the software.

My approach on releases is to always wait for the majority of our users to update before detailing / discussing any of the specific issues that have been fixed. This minimizes the amount of time that would-be attackers have to try and exploit those of our users that haven't upgraded yet. Naturally, having millions of customers using our software (30 million concurrent users at peak times) does result in a somewhat slow upgrade cycle. However, we typically see that large percentages of the user base have upgraded within a few weeks after a new version has been released. Once we have seen a large proportion of our Skype for Mac user base have upgraded to this new version, we will provide further details on the vulnerability in the Skype for Mac client that was raised by Pure Hacking.

Pure Hacking has also now confirmed that the issue they reported to us on April 7th, for which we were already working on a fix, was addressed in our April 14th release.

As always, we continue to urge Skype users to ensure that their systems or devices are patched and running up-to-date software. This advice extends to both the operating system and other programs that they may have installed.

Security Vulnerability in Mac Client Has Been Addressed

2011-05-06T22:17:53Z

Last month, we were contacted by Pure Hacking, a group of ethical hackers in Australia, who reported what they believed to be a zero-day vulnerability in Skype for Mac 5.x. This vulnerability, which they blogged about earlier today, is related to a situation when a malicious contact would send a specifically crafted message that could cause Skype for Mac to crash. Note, this message would have to come from someone already in your Skype Contact List, as Skype's default privacy settings will not let you receive messages from people that you have not already authorized, hence the term malicious contact.

At the time they alerted us, we were already aware of the issue and were working on a fix to protect Skype users from this vulnerability, as we take our users' security very seriously. We subsequently released a hotfix for this problem in a minor update (Skype for Mac version 5.1.0.922) on April 14th. As there were no reports of this vulnerability being exploited in the wild, we did not prompt our users to install this update, as there is another update in the pipeline that will be sent out early next week.

This new update will include some additional updates and bug fixes. When it is released, we will notify all Skype for Mac users of the need to update their software (the client will prompt the user to update). In the meantime, we recommend you update your software with the fix made available on April 14th, just click on Skype -> Check for Updates or you can download the software here.

Please note, Skype's other clients, e.g. Windows and Linux, are not susceptible to this vulnerability.

Privacy vulnerability in Skype for Android fixed

2011-04-20T10:44:18Z

After a period of developing and testing we have released a new version of the Skype for Android application onto the Android Market, containing a fix to the vulnerability reported to us. Please update to this version as soon as possible in order to help protect your information.

We have had no reported examples of any 3rd party malicious application misusing information from the Skype directory on Android devices and will continue to monitor closely. Please rest assured that we do take your privacy and security very seriously and we sincerely apologise for any concern this issue may have caused.

Please ensure that you download Skype only from skype.com, or from the Android Market links on skype.com.

[Fixed] Privacy vulnerability in Skype for Android

2011-04-15T08:49:01Z

20 April 2011: This vulnerability has been fixed. Please update Skype on your Android device.

It has been brought to our attention that, were you to install a malicious third-party application onto your Android device, then it could access the locally stored Skype for Android files.

These files include cached profile information and instant messages. We take your privacy very seriously and are working quickly to protect you from this vulnerability, including securing the file permissions on the Skype for Android application.

To protect your personal information, we advise users to take care in selecting which applications to download and install onto their device.

Download Skype safely

2011-03-02T01:14:49Z

From time to time, we release free updates to our software that both provide you with new features, as well as updates and fixes to existing functionality.

There are three places you can look for updates:

the Skype website, found by entering www.skype.com in your browser’s address bar
by checking for updates from within Skype (Help > Check for Updates on Windows or Skype > Check for Updates on Mac OS X)
from skype.com/m on your mobile device, which will direct you to the Android Market or App Store on applicable devices

Recently, we’ve seen a number of websites and emails that attempt to trick you into paying them for these free updates. Please be careful, and don’t fall for these scams. For more information on how to stay safe online, check out our security pages.

Remember, it's free to download Skype for your computer

2010-10-07T17:16:39Z

A small number of websites claim to offer Skype downloads for a fee. Skype is free to download for your computer, and you should be suspicious of any website which requests money in exchange for a Skype download.

You can always find the latest version of Skype from our download page – check that your browser’s address bar says skype.com, or skype.tom.com in China.

Skype will tell you when a major update is available, and you should be wary of any email pretending to be from Skype saying a security update is available. We will never do this. Information regarding updates to the Skype software can always be found on the downloads section of our website.

'Password Reset' or 'Payment Delivered' phishing emails

2010-06-17T08:08:04Z

Phishing is the process whereby a malicious third party attempts to trick you into providing information that they shouldn't have. For instance, someone could send you an email pretending to be from Skype and ask you to click on a link asking you to sign in and check your account.

When you click this link you are then directed to a website that may look like Skype; however, it is being controlled by a third party and when you enter your Skype Name and password they store this information and use it for malicious purposes.

We're aware of a number of phishing emails which have been making the rounds recently - one invites you to reset your password while another alert you to problems processing your payments. Both link to a site which isn't controlled by Skype.

Here are some examples of what these may look like:

Phishing Scam #1: Problem with your payment

Phishing Scam #2: Password Reset

Phishing Scam #3: Purchase Delivered (Long)

Phishing Scam #4: Purchase Delivered (Short)

If you receive one or more of these emails, or another email which looks suspicious, do not click on any of the links in it, open the attachment, or share your username and password. If you arrive at a website, through a link or some other such redirection, make sure that it says skype.com in your browser's address bar and does not contain within the web address additional characters or words. For instance, notskype.com or skype1.com are both invalid web addresses.

In general, we strongly encourage you to be cautious when receiving any email from any unknown or unexpected source that asks you to take some kind of action or that requests sensitive personal information.

And remember, if you do think that your account has been compromised or even suspect it, then go to skype.com and change your password immediately.

For more information about phishing and advice on how to stay safe online, visit the security section of our website.

An update on spam on Skype

2010-03-18T14:10:01Z

Sadly, a small number of people choose to abuse Skype, much like any other Internet communications tool – whether it’s email, IM or VoIP.

We have a team of people dedicated to fighting spam on Skype, and it’s a task which requires continuous effort. I’d like to share with you a few details of our latest achievements, along with some general advice on what to do if you receive spam on Skype.

In the latest version of Skype for Windows, we’ve changed the way that contact requests appear. Contact requests are the notifications you see when someone asks you if they can add you to their contact list. Of course, the vast majority of these are completely legitimate – with our contact importer tools, for example, you can find friends who are already on Skype, and ask them to join your contact list.

However, a small minority of requests may come from spammers. So, in the latest version of Skype for Windows, we’ve made some changes to the way these requests look, and where they appear. Specifically, we’ve made it much easier to tell the difference between a contact request and an instant message conversation.

As well as introducing this visual change, I’d also like to explain in a little bit more detail what happens when you report abuse from a spammer. If you see a contact request from a spammer, you can block them by clicking the Block button in the notifications window. Once you’ve done this, Skype will ask you if you’d like to report them.

These reports are very useful to us – they help us to detect patterns in spam activity, as well as allowing us to disable the accounts of individual spammers. So you’re not just reporting a single spammer – you’re helping us to reduce the total amount of spam on Skype.

Finally, some general advice, and a very simple message: don’t click links or open files in messages from people you don’t know and trust, and indeed even from people you do trust if you are not sure of the content. We’ve deliberately made this more difficult – links in contact request notifications are un-clickable – but it’s a rule which doesn’t just apply to Skype. And there’s more general security advice in the Security section of our website: you’d be wise to follow it.

Koobface worm

2009-11-27T09:15:43Z

You may have seen news articles about the ‘Koobface’ worm, a malicious piece of software which has been targeting various social networking sites, such as Facebook and Twitter, and which can also send unsolicited messages to your Skype contacts.

To avoid becoming infected, please take a look at our security recommendations – in short, make sure you don’t click links or open files from people you don’t trust, stay current on patches and updates for your computer and use an up-to-date anti-virus program and personal firewall.

You might also find our advice on how to keep your computer secure useful.

You cannot be infected by this trojan simply by using Skype or social networking sites. In order for it to infect your computer, you would have to run the malicious software. Again, make sure you don’t click links or open files from people you don’t trust.

A little bit about Trojan.Peskyspy

2009-09-03T16:08:12Z

Some of you may have seen stories circulating about a ‘trojan’ (a malicious piece of software) which can listen in to your Skype calls – and I’d like to set the record straight on two points.

In order for this trojan to ‘listen in’, it has to be run on your computer, which means that your computer is already compromised – e.g. by a virus.
It doesn’t exploit the Skype software; instead, it ‘listens in’ to the audio data which is transferred between Skype and your computer hardware – your headset and microphone, for example – and it does this using processes which are available in the Microsoft Windows operating system. It’s like standing next to someone when they are talking

So, what should you do? All the usual security recommendations still apply – make sure you don’t open files from people you don’t trust, stay current on patches and updates for your computer and use an up-to-date anti-virus program.

If you’re looking for more details, the security experts at Symantec sum things up pretty nicely over on their blog:

What this threat is doing is actually grabbing the sound coming from the audio devices plugged into the computer. It does this by hooking various Windows API calls that are used in audio input and output. It then is able to intercept all audio data traveling between the Skype process and the underlying audio device. The extracted audio data is then saved to .mp3 files and stored on the computer.

Because the Trojan listens in the data traveling between the Skype process and the audio device, it gathers the audio independently of any application-specific protocols or encryption applied by Skype when it passes voice data at the network level. Essentially, it sits below these security measures, recording the audio at the Windows level—before outbound audio from the microphone gets to Skype and after incoming audio leaves Skype and reaches the speakers.

Finally, the Trojan contains a back door, which enables an attacker to have the stolen audio conversations sent to a predetermined location, where they can later be listened to.

In terms of impact, we don’t see this threat gaining much of a foothold out in the wild. What we’ve seen is largely proof-of-concept and does not contain any method to spread from one computer to another. However, it is possible that we will see variations on this Trojan theme in the future. With this in mind we recommend keeping your virus definition and IPS signatures up-to-date.

Cross-Site Request Forgery (CSRF) Vulnerability

2009-04-14T19:08:35Z

A browser-level vulnerability has been revealed by Secure Science Corporation that could impact Skype users.

]]> This exploit can happen to any user who is logged into their account on Skype.com, who simultaneously visits a malicious Web site and is then affected by this attack. The malicious site can then compromise a user's account and perform a limited number of actions, such as change the user's voicemail or call forwarding settings. However, the user's account password is not compromised at any time. Nor does it impact users of the Skype client.

The simplest technique is similar to a phishing attack, only a bit more interactive:

Attacker: Hello, I apologize for the disruption, but this is a friendly reminder that Skype is having a special today. We are offering $25.00 extra credit in your SkypeOut account if you do "X." We will never ask you for your username or password over Skype Instant Messaging.
Victim: OK!

That "X" can be anything that requires the user who is logged into their Web-based Skype account to possibly view another site.

Attacker2: Hello, were you just contacted by someone promising 25.00 extra credit. This is the Skype Fraud Detection (SFD) department; we believe that your computer may be infected. We need you to go to this site to check for and eliminate the infection (X-Fake-Security-Site). As this is Skype-specific, anti-virus software cannot eliminate this threat. Note: the SFD will never request your Skype password.
Victim: OK!

In both cases, the attacker never asked for the Skype username or password.

To protect yourself from this vulnerability, we recommend that you take the following steps:

Close all browser windows before logging into your secure account (https) on Skype.com to execute any transactions or change any account settings.
Make sure to log out of your account on Skype.com when you're done buying Skype credit or a subscription and/or making other changes to your account settings.
Logging off of secure Web sites is the best practice method before clicking on any links from any source other than the secure page opened. As such, do not visit any other Web sites until you have logged out of your secure Skype.com account.

As always, do not click on links from unknown people in instant messages or links in "spam" or untrusted e-mails. Plus, it's not a good time to multi-task when you are logged into any secure Web site.

Skype is hard at work changing how these Web pages operate in order to address this vulnerability and to keep our users' safe from this type of attack.

Skype Lottery Scam Alert

2008-12-17T14:37:14Z

It appears that someone is attempting to perpetrate a form of the ‘Nigerian’ or ‘Foreign Lottery’ scam using the Skype brand, promising to pay significant prize winnings in a contest.

If you have received an email that appears to be from Skype, please do not respond and/or share any personal and private information as the result of this email.

Here's the version of the message we've seen making the rounds:

Subject: Congratulations; SKYPE AWARDS!‏ 
From: SKYPE AWARDS (info@skype.com) 
Sent: December 16, 2008 5:17:26 AM 
To: (Unknown)

SKYPE AWARDS PROMO
The Desk Of The Promotions Manager

International Promotions/Skype Award Center

124 Stockport Road, Longsight,

Manchester M60 2DB - United Kingdom.

Tel: +44 703 194 6898

Fax: +44 703 194 6898

Reference Number: 1037231LL

This is to inform you that you have won a prize money of three Hundred Thousand Pounds (GBP300,000: 00.) for the month of December, 2008 Prize promotion which was organized by SKYPE AWARDS. The Skype collects all the email addresses of the people that are active online,among the millions that subscribed to various websites. Six people are selected yearly to benefit from this promotion and you are one of the Selected Winners this year.
PAYMENT OF PRIZE AND CLAIM.

Winners shall choose from one of the payment option stated below:

A] Bank Wire Transfer

For this option, winnners must provide the below stated information:

(1) Bank Full Name:

(2) Bank Full Address (including State and Country):

(3) Bank Telephone Number:

(4) Bank Account Number:

(5) Name of Owner of Account:

(6) Swift Code:

(7) Charge of Transfer (C.O.T) - 750GBP  (Must be paid before consignment transfer of funds)

B] International Certified Cheque

For this option, winnners must provide the below stated information:
(1) Your Full Name:

(2) Your Complete Mailing Address:

(3) A Scanned Copy of your I.D clearly showing your face. (Note that this I.D will be required to claim your parcel when it arrives your apartment).

(4) Insurance Fee & Shipment charge of 500GBP  (Must be paid before consignment dispatch).

All funds must be claimed no later than 5 days from date of Draw Notification. Any prize not claimed within this period will be forfeited.

Below you will find a Processing Form, requesting your required Particulars. Please provide all requested information to help us processs your claim in good time.

SKYPE ONLINE PROCESSING FORM

REFERENCE NUMBER:

FULL NAMES:

ADDRESS:

CITY:

STATE:

ZIP:

PHONE /FAX:

COUNTRY:

SEX:

AGE:

MARITAL STATUS:

OCCUPATION:

E-MAIL ADDRESS:

NATIONALITY:
PAYMENT OPTION: [A]/[B]
Forms Should be returned to your claim agent with details below:
Agent Michael Mine

E-mail: skypeawardsprom@gmail.com

CONGRATULATIONS ONCE AGAIN

Yours in service

Patricia Elsworth

(Lottery Coordinator)

Note: Do not reply to this email because your entries will not be processed. All entries should be sent to skypeawardsprom@gmail.com

*****************************************************************************

This Notification MUST remain confidential until your funds is successfully handed over to you to avoid disqualification that may arise from double claim. You may also receive similar e-mails from people portraying our image. This is solely to collect your personal information from you and lay claim over your winning. In the event you receive any e-mail similar to this notification letter we have emailed you, kindly delete it from your mail box and make no further correspondence to such persons or body. Skype shall not be held responsible for any loss of fund arising from the above mentioned.

[RESOLVED] Phishing emails

2008-07-10T20:41:15Z

It appears some of our users have been subject to phishing emails - if you have received an email that appears to be from Skype, please DO NOT enter your username and password as the result of this email.

Also, as a consequence of this, skype.com's mail servers are currently down (we are subject to a flood of bounced emails from emails that do not exist as a result of the phishing emails) - this means our customer support is not currently contactable.

We are doing our best to resolve this situation as quickly as we can and will post updates here as soon as we have them. Please bear with us during while work on solving this.

UPDATE: We are happy to let you know that our mail servers are back up, customer support is available and the phishing sites associated with this incident are no longer active. As a reminder, we strongly encourage users to be cautious when responding to any email that requests sensitive personal information.