Skype for Android vulnerability exposes names and chat logs

Posted by Trent Nouveau

An eagle-eyed developer has positively identified a critical vulnerability in the Android version of Skype that can be exploited to reveal names, phone numbers and chat logs.

The vulnerability was discovered by "Justin Case" as he was analyzing a leaked version of Skype Video. However, the same security lapse was found in the standard version of Skype for Android - although Skype Mobile for Verizon appears to be unaffected at this time.

"Inside the Skype data directory is a folder with the same name as your Skype username, and it's here where Skype stores your contacts, your profile, your instant message logs, and more in a number of sqlite3 databases," Case explained in a post on Android Police.

"But Skype mistakenly left these files with improper permissions, allowing anyone or any app to read them. Not only are they accessible, but completely unencrypted."

According to Case, the most interesting file one can gain access to is main.db, which stores such information as account balance, full name, date of birth, city/state/country, home phone, office phone, cell phone and email addresses.

"Moving further along, looking into the Chats table, we can see your instant messages - and that's just the tip of it. Scary. This means that a rogue developer could modify an existing application with code from our 
Proof of Concept (without much difficulty), distribute that application on the Market, and just watch as all that private user information pours in," he warned.

"While the exploit can't steal your credit card info, the data it's harvesting is still clearly very private. Imagine if Google accidentally leaked all of your Google Talk logs along with your e-mail address, name, and phone number - such a breach might a cause a mass user exodus, not to mention a federal inquiry."



As such, Case recommended that Skype fix the above-mentioned vulnerability by employing proper file permissions, encryption and thorough reviews before future versions of the app are launched.

Update: Skype is currently investigating the vulnerability.