Security researchers have discovered a flaw in Skype for Business that enables hackers to launch a DoS attack against the platform by sending large numbers of emojis on the instant messaging client.
According to a blog post by researchers at SEC Consult Vulnerability Lab, an attacker need only send send a certain amount of emojis to force the recipient’s Skype for Business client to stop working.
For the attack to work, a malicious sender would invite the victim to join a meeting or simply contacts them via Skype and sends a huge amount of emojis, e.g. cute kittens.
"When receiving about 800 kittens at once, your Skype for Business client will stop responding for a few seconds. If a sender continues sending emojis your Skype for Business client will not be usable until the attack ends," said researchers.
Researchers released a proof of concept to check, whether or not a client freezes upon receiving a few hundred emojis. Researchers added that among the affected clients were Skype for Business 2016 MSO (16.0.93).64-Bit or before or Lync 2013 (15.0) 64-Bit part of Microsoft Office Professional Plus 2013 or before. Both are running on Windows.
They added that organisations should install the latest patch supplied by Microsoft and make sure your system is up to date, in general. If patching your system is not an option, organisations should block the malicious sender, disable emojis in a user’s Skype for Business client, and set appropriate privacy options in Skype for Business settings, so only people from a user’s contact list can send messages.
Adam Brown, manager of security solutions at Synopsys, told SC Media UK that though the impact of this attack is relatively low - a temporary DoS on a messenger client is more of a nuisance than anything.
"There is already a patch to prevent this attack and administrators should upgrade. If the upgrade hasn’t happened yet then users should be wary when receiving contact requests from unknowns. If you do fall victim (you’ll know because of all the kitten emoji’s in the chat window) you may need to restart Skype / Lync," he said.
Andy Lilly, CTO of Armour Comms, told SC Media UK that this sort of issue highlights the importance of good design and ‘provocative’ quality testing to try to anticipate how users can break things, whether by accident or with malicious intent.
"A classic example of how a fast response is important for both the developer (from finding an issue to releasing a patch) and the users (watching for patches and applying them as soon as they become available). Of course, patching may be limited by the need for an organisation’s IT group to test the patches before deploying them but in this day-and-age there is no excuse for at any level of an organisation for having lax patching practices," he said.
"Like many chat applications that are as much for social media as for business use, any lack of control over users (such as allowing anyone to sign up for the service, rather than specifically authorising each applicant) opens up the messaging system to a range of what are effectively ‘insider’ vulnerabilities."