Skype may have been left vulnerable even after acquisition by Microsoft
Skype may have been left vulnerable even after acquisition by Microsoft

The discovery of what appears to be backdoor code, mistakenly left in place by the development team, in Skype for Mac OS X will be an embarrassment for new owners Microsoft. It could, however, have been far more troubling for users as the code enabled access to personal content including contacts, chat logs and recordings.

Using a process of responsible disclosure from the Trustwave researchers at SpiderLabs, who discovered the backdoor, an advisory has been issued and the vulnerability patched by Skype.

The vulnerability itself was a locally exploitable issue in the Skype Desktop API for Mac OS-X, providing an API to local programs and plugins executing on the local machine. The issue was one of an authentication bypass within the API so that any local program could bypass authentication if identifying itself as a program responsible for interfacing with the Desktop API on behalf of the Skype Dashboard widget program.

SpiderLabs researchers put forward the possibility that the vulnerability was the result of “a backdoor entered into the Desktop API to permit a particular program written by the vendor to access the Desktop API without user interaction.” Given that the Desktop API provides for an undocumented client name identifier of ‘Skype Dashbd Wdgt Plugin' this would seem more than likely.

Backdoors work differently to the normal course of things, and instead of notifying the user of an access attempt and prompting for permission, the backdoor code makes no such notification attempt and there is no opportunity to deny access. What's more, there was no mention within the Manage API Clients list, so any program accessing the Desktop API this way remained completely hidden from the user.

Because no attempts would be made to determine programs accessing the Desktop API (they just identify themselves as the undocumented client name identifier Skype Dashbd Wdgt Plugin) the potential for abuse by malware running locally on the machine is opened up.

SC Media UK spoke to Lawrence Munro, director of SpiderLabs EMEA at Trustwave, who told us that he knows Microsoft has an internal policy with code being validated prior to check-in “but it's unlikely a complete code review was performed on the Skype code base when MS took over Skype.”

That said, Munro goes on to state that he “would expect this to have been found, as the Desktop API was clearly a point of interest to attackers and such a simple failure would have been obvious to spot. One point we often see raised is the sheer size of the binary code base, which is certainly true.” In mitigation, Munro admits that a high turnover of developers can be a contributing factor for these kinds of flaws, as it makes it more likely for mistakes to go unnoticed.

If, as seems most likely, this was old dev code left behind rather than a malicious backdoor it begs the question: how can development teams best make sure that such things just don't happen?

Tom Van Neerijnen, CTO at Drie told SC “In this instance it looks like a mistake rather than something malicious, but it is a worrying indication of poor development practices.  My guess is that the development team was being pushed hard to keep up with competition from the likes of Whatsapp and Open Whisper Systems and changes were not being reviewed as closely as they should be.”

Paul Farrington, manager of EMEA solution architects at Veracode, reckons that quality code needs to be made synonymous with secure code. “Development is moving so fast that often times security is overlooked” Farrington admitted in conversation with SC, continuing “Development teams can help ensure they aren't accidentally creating backdoors into the software by integrating security into their development processes – testing early and often for security defects.”

And for the smaller and less established development teams than the likes of Microsoft? “Something as simple as hardcoding backdoors to be development environment accessible only can be a temporary solution until a better policy is in place” suggests Matthew Aldridge, solutions architect at Webroot “but definitely shouldn't be relied upon in the long run.”

So, has Skype got more or less secure since the Microsoft acquisition and, indeed, is it 'secure enough' for enterprise use?

Lawrence Munro thinks the level of security is about the same since the acquisition as you don't often hear of security issues in Skype. “From memory” he told us “the last one was a Unicode decoding issue in handling messages with strange emoji/Chinese characters, over a year ago.” What's more, Microsoft doesn't include Skype in the bug bounty program which may contribute to the lack of interest.

And as for being secure enough for enterprise usage? “I'd say Skype is secure enough for enterprise use now” Munro concludes “especially from a local standpoint now that you can't just connect to the API without authentication on OS-X.” Munro couldn't comment on Windows from that perspective however. As for enterprise mitigation measures against backdoors in chat applications, Munro was blunt with his reply:

“Backdoors are a difficult issue as I don't think there are any solutions that can mitigate them. Really that's one of the points of a backdoor – it's extremely useful to those that know it is there and yet leaves everyone else clueless...”