Skype acknowledges Android vulnerability

Posted by Trent Nouveau

Skype says it working to protect Android users from a critical security vulnerability.

"It has been brought to our attention that, were you to install a malicious third-party application onto your Android device, then it could access the locally stored Skype for Android files," Skype rep Adrian Asher confirmed.

Skype acknowledges Android vulnerability"These files include cached profile information and instant messages. We take your privacy very seriously and are working quickly to protect you from this vulnerability, including securing the file permissions on the Skype for Android application."

As TG Daily previously reported, Android developer "Justin Case" recently identified the vulnerability which could be exploited to reveal names, phone numbers and chat logs.

"Inside the Skype data directory is a folder with the same name as your Skype username, and it's here where Skype stores your contacts, your profile, your instant message logs, and more in a number of sqlite3 databases," Case explained.

"But Skype mistakenly left these files with improper permissions, allowing anyone or any app to read them. Not only are they accessible, but completely unencrypted."

According to Case, the most interesting file one can gain access to is main.db, which stores such information as account balance, full name, date of birth, city/state/country, home phone, office phone, cell phone and email addresses.

"Moving further along, looking into the Chats table, we can see your instant messages - and that's just the tip of it. Scary. This means that a rogue developer could modify an existing application with code from our 
Proof of Concept (without much difficulty), distribute that application on the Market, and just watch as all that private user information pours in," he warned.

"While the exploit can't steal your credit card info, the data it's harvesting is still clearly very private. Imagine if Google accidentally leaked all of your Google Talk logs along with your e-mail address, name, and phone number - such a breach might a cause a mass user exodus, not to mention a federal inquiry."