Security Problem in Skype
By Amitay Dan (popshark1)
Introduction
This
white paper is showing how simple survey system which supposed to help the
client, is causing a huge privacy risk.
The
email of the client is not keeping under secure system after the time the
client finished the chat support. Since then he transferred to unsecured survey
system where his email can exposed very easy to anyone who use the same network
(cable and Wi-Fi).
This
attack can be a tool to hit Skype user by another well-known security flew
which called Skype resolver, which basically work like that's: you give me
email and I will find the nickname in Skype behind it, and after it his IP and
his location. The next move which many
hacker do this days is to take him out of the internet by DDOS attack (denied
of service), locate his movement all over the world and much more (by his IP).
The
attack can include as well MITM, (man in the middle) so attacker would be able
to manipulate the survey website and put inside malicious code, complete fake
website and other creative attack[1]
The
other part of this security flew is the ability to spam the survey system which
Skype use this days with false survey based on nothing, so the system won't
give client idea or feedback but actually will be full of trash.
Another
part is that's client will be able to send negative feedback about agent many
times using his ID number in the system, and other emails as the client (like a
revenge).
Microsoft
as the owner of Skype should fix this problem by very simple patch.
1.
Secure URL and one time secure token ID between the chat system and the survey
system.
Manifest
Skype
as many other companies are asking the client to fulfill a survey after giving
service, so the company will do better and improve the service.
Skype
choose Decipher [2] to
give it service for survey after using chat services for premium user, which
were based on Moxie Software service[3]
during the time this security problem
has been found, and now has been changed to be provided by mostly by LivePerson
Business Solutions[4]. Yet,
those two kind of chat services are working right now[5].
This
paper will demonstrate two major attack: against Skype users' data while using
the survey system, and against Skype survey system itself via Decipher
services.
The
proof of concept is working for sure during the use of the Moxie software
service which show out in the URL as https://skype.ehosts.net/netagent/scripts/srvgate.dll?Action=1060
Which
belong to Moxie Software CIM Corp. [6]
Proof of concept
Attack against Skype clients
As
you can see the user need to provide some information, included his Skype
username and his email, the email is very important to understand this
demonstration.
After
the user is finishing the chat process he might get the following massage: "We value your feedback. Please be aware
that we will ask you a few questions after closing the chat window about your
experience with us today" and then appears the survey system which provided to Skype by Decipher [7].
The first thing we can see is there is no https in the URL and no encryption
is providing during the session so anyone who sniff the network can see what
the user do, write or gets from the system.
The funny part is that's Skype said to the user that’s his answer will
be kept will be kept confidential:" Thank
you for taking the time to complete the survey. Your feedback is important to
us in how we can better improve our service.
"This survey should only take about 5 minutes of your time. Your answers to these questions will be kept confidential. If you have any questions about the survey, please contact us at cssatisfaction@skype.net."
"This survey should only take about 5 minutes of your time. Your answers to these questions will be kept confidential. If you have any questions about the survey, please contact us at cssatisfaction@skype.net."
While
checking the URL the survey I have realized that's the clients email is shown
in clear text, as well as the Skype agent ID and the language which has been
used during the chat which this survey pointing on.
As for the privacy Policy, the link seems to go nowhere so there is no
privacy policy available for Skype survey …[8]
As for the client we can point on few major security problem based on my
finding, basically based on the missing of secure line between the server and
the client, so anyone can sniff those packets from the network he use, as Wi-Fi
as for close networks such as universities, offices etc.[9] (Skype and the user):
1. His email can be tracked down while sniffing the URL of the
survey
2. His email can be a way to find his IP by his Skype nickname via
Skype Resolver[10]
3. The location can be found by the IP as well as his cellular
provider etc.[11]
4. The survey information which the attacker got can be a tool to
send direct email
5. By using the email the attacker can find the identity of the
client not only in Skype, but even in services like Facebook, so his face can
be add to the data very easy, as well as many other information.
6. Man In The Middle Attack (MITM) included fake website, malicious
code etc. [12]
7. with files with virus or phishing activity like Skype login
reset, those based on his survey ,which only him and Skype supposed to know
about (very tricky even for security expert)
8. Unlike the words "Your answers to these questions will be
kept confidential" all the data which the client will provide during the
survey will be not secure and anyone in the same network will be able to track
this data.
Now for the System problem:
Attack against Skype system
As for Skype I've realized that after starting the
survey I'm getting very useful link if my motivation is to spam the survey
system with false survey, or even better to send negative opinions against
specific agent which I don't like.
The links looks like that’s:
http://v2.decipherinc.com/survey/selfserve/a79/sky13009a?co=us&chat_id=2*****4&chat_queue=94&chat_lang=11&custemail=noname%40gmail.com&agent_id=1314&topic=
http://v2.decipherinc.com/survey/selfserve/a79/sky13009a?co=us&chat_id=2*****3&chat_queue=59&chat_lang=11&custemail=
noname%40gmail.com &agent_id=2000&topic=Spam
1. sky13009a – should be Skype nickname in Decipher Inc
system
2. chat_id – After the chat ID appears the chat
number which was in mine based on seven digits
3. chat_lang=11 – That's for the chat language and 11 is for
English
4. custemail – This is where the client ID of this help chat
exposed
5. agent_id – That’s for the agent ID and those number are
really important for this attack.
6. Topic – The topic mean topic, why the client contacted
the customer service via the chat system.
I have found that’s I can play with this
string with no limits. As long as I'm using all the rules, I can check what the
current chat ID is and add in any email I want with any agent ID I want under
any client's email.
Since those are two different system, the survey system
and the chat system based on more the three different companies who needs to
send or to gets data based on this survey system (Decipher, Moxie Software, Skype,
Microsoft LivePerson*)
The survey system by Decipher just use the URL string
provided by Moxie Software under the name 'ehosts.net', after it Skype supposed
to get this data from Decipher survey in their account.
I'm not sure about LivePerson system but it seems their
more connected to Microsoft and yet no survey system has been show there (it
seems they need to improve the integration) then Skype old chat system which is
based Moxie Software.
Attacker can do major activity against Skype/Microsoft
1. Spam of many surveys with negative results against Agent or
generally the service, this with the help of Auto fill Forms software[13]
2. As a results agents will have bad survey feedback
3. The survey system will have to be clean from trash and false
data.
Solutions
Microsoft as the owner of Skype should fix this problem
by very simple patch
1. Secure URL and signature from known provider
2. One time secure token ID
between the chat system and the survey system
Epilogue
Since Microsoft took my advice, and fixed the problem , I'm being able to disclose this with the public. keeping client information secure is something which companies need to do even when they offer us survey.
Microsoft learn the lesson,and now Skype survey system is secure. you even can see the Privacy Policy, they did the job well.
While checking other companies, I've realized that's our private information are spreading around,but this will be the next chapter...
Microsoft did mention my name in "Microsoft Security Researcher Acknowledgments for Microsoft Online Services" [14]
This white paper made by
Amitay Dan
popshark11.blogspot.com
