Friday, November 1, 2013

Security breach in Skype survey system (Microsoft)




Security Problem in Skype
By Amitay Dan (popshark1)

 
 Introduction
                                                                                                                                               
This white paper is showing how simple survey system which supposed to help the client, is causing a huge privacy risk.

The email of the client is not keeping under secure system after the time the client finished the chat support. Since then he transferred to unsecured survey system where his email can exposed very easy to anyone who use the same network (cable and Wi-Fi).

This attack can be a tool to hit Skype user by another well-known security flew which called Skype resolver, which basically work like that's: you give me email and I will find the nickname in Skype behind it, and after it his IP and his location.  The next move which many hacker do this days is to take him out of the internet by DDOS attack (denied of service), locate his movement all over the world and much more (by his IP).

The attack can include as well MITM, (man in the middle) so attacker would be able to manipulate the survey website and put inside malicious code, complete fake website and other creative attack[1]  

The other part of this security flew is the ability to spam the survey system which Skype use this days with false survey based on nothing, so the system won't give client idea or feedback but actually will be full of trash.

Another part is that's client will be able to send negative feedback about agent many times using his ID number in the system, and other emails as the client (like a revenge).
Microsoft as the owner of Skype should fix this problem by very simple patch.

1. Secure URL and one time secure token ID between the chat system and the survey system.        

Manifest

Skype as many other companies are asking the client to fulfill a survey after giving service, so the company will do better and improve the service.

Skype choose Decipher [2] to give it service for survey after using chat services for premium user, which were based on Moxie Software service[3]  during the time this security problem has been found, and now has been changed to be provided by mostly by LivePerson 

Business Solutions[4]. Yet, those two kind of chat services are working right now[5].

This paper will demonstrate two major attack: against Skype users' data while using the survey system, and against Skype survey system itself via Decipher services.

The proof of concept is working for sure during the use of the Moxie software service which show out in the URL as https://skype.ehosts.net/netagent/scripts/srvgate.dll?Action=1060
Which belong to Moxie Software CIM Corp. [6]


Proof of concept


                                                                                                                                                                                         



Attack against Skype clients

As you can see the user need to provide some information, included his Skype username and his email, the email is very important to understand this demonstration.

After the user is finishing the chat process he might get the following massage:  "We value your feedback. Please be aware that we will ask you a few questions after closing the chat window about your experience with us today" and then appears the survey system  which provided to Skype by Decipher [7].






The first thing we can see is there is no https in the URL and no encryption is providing during the session so anyone who sniff the network can see what the user do, write or gets from the system.

The funny part is that's Skype said to the user that’s his answer will be kept will be kept confidential:" Thank you for taking the time to complete the survey. Your feedback is important to us in how we can better improve our service.

"This survey should only take about 5 minutes of your time. Your answers to these questions will be kept confidential.  If you have any questions about the survey, please contact us at cssatisfaction@skype.net."

While checking the URL the survey I have realized that's the clients email is shown in clear text, as well as the Skype agent ID and the language which has been used during the chat which this survey pointing on.


As for the privacy Policy, the link seems to go nowhere so there is no privacy policy available for Skype survey …[8]




 






 
As for the client we can point on few major security problem based on my finding, basically based on the missing of secure line between the server and the client, so anyone can sniff those packets from the network he use, as Wi-Fi as for close networks such as universities, offices etc.[9]   (Skype and the user):

1.       His email can be tracked down while sniffing the URL of the survey
2.       His email can be a way to find his IP by his Skype nickname via Skype Resolver[10]
3.       The location can be found by the IP as well as his cellular provider etc.[11]
4.       The survey information which the attacker got can be a tool to send direct email
5.       By using the email the attacker can find the identity of the client not only in Skype, but even in services like Facebook, so his face can be add to the data very easy, as well as many other information. 
6.       Man In The Middle Attack (MITM) included fake website, malicious code etc.  [12]
7.       with files with virus or phishing activity like Skype login reset, those based on his survey ,which only him and Skype supposed to know about (very tricky even for security expert) 
8.       Unlike the words "Your answers to these questions will be kept confidential" all the data which the client will provide during the survey will be not secure and anyone in the same network will be able to track this data.


Now for the System problem:

Attack against Skype system

As for Skype I've realized that after starting the survey I'm getting very useful link if my motivation is to spam the survey system with false survey, or even better to send negative opinions against specific agent which I don't like.
The links looks like that’s:

    http://v2.decipherinc.com/survey/selfserve/a79/sky13009a?co=us&chat_id=2*****4&chat_queue=94&chat_lang=11&custemail=noname%40gmail.com&agent_id=1314&topic=

http://v2.decipherinc.com/survey/selfserve/a79/sky13009a?co=us&chat_id=2*****3&chat_queue=59&chat_lang=11&custemail= noname%40gmail.com &agent_id=2000&topic=Spam

1.       sky13009a should be Skype nickname in Decipher Inc system
2.       chat_id After the chat ID appears the chat number which was in mine based on seven digits
3.       chat_lang=11 – That's for the chat language and 11 is for English
4.       custemail – This is where the client ID of this help chat exposed
5.       agent_id – That’s for the agent ID and those number are really important for this attack.
6.       Topic – The topic mean topic, why the client contacted the customer service via the chat system.

   I have found that’s I can play with this string with no limits. As long as I'm using all the rules, I can check what the current chat ID is and add in any email I want with any agent ID I want under any client's email.

Since those are two different system, the survey system and the chat system based on more the three different companies who needs to send or to gets data based on this survey system (Decipher, Moxie Software, Skype, Microsoft LivePerson*)

The survey system by Decipher just use the URL string provided by Moxie Software under the name 'ehosts.net', after it Skype supposed to get this data from Decipher survey in their account. 

I'm not sure about LivePerson system but it seems their more connected to Microsoft and yet no survey system has been show there (it seems they need to improve the integration) then Skype old chat system which is based Moxie Software.




Attacker can do major activity against Skype/Microsoft
1.       Spam of many surveys with negative results against Agent or generally the service, this with the help of Auto fill Forms software[13]
2.       As a results agents will have bad survey feedback
3.       The survey system will have to be clean from trash and false data.


Solutions

Microsoft as the owner of Skype should fix this problem by very simple patch

1.       Secure URL and signature from known provider
2.         One time secure token ID between the chat system and the survey system

 Epilogue

Since Microsoft took my advice, and fixed the problem , I'm being able to disclose this with the public. keeping client information secure is something which companies need to do even when they offer us survey.

Microsoft learn the lesson,and now Skype survey system is secure. you even can see the Privacy Policy, they did the job well.

While checking other companies, I've realized that's our private information are spreading around,but this will be the next chapter...

Microsoft did mention my name in "Microsoft Security Researcher Acknowledgments for Microsoft Online Services" [14]   




This white paper made by
Amitay Dan

popshark11.blogspot.com




2 comments:

  1. Hi. I reached your blog while searching for "https://v2.decipherinc.com", as I've received a Skype survey. Thanks for your sharing!

    ReplyDelete
  2. Interesting blog. It would be great if you can provide more details about it. Thanks you
    Skype Technical Help

    ReplyDelete