According to Zacharis Alexandros, an independent researcher, a bug in Skype was discovered in January, but it has only recently been bought to light following the successful patch of the problem by Microsoft. He dubbed the bug, Spyke.
In a blog post (at time of publication, the article on LinkedIn (also owned by Microsoft) appears to have disappeared – here is a cached page), Alexandros said the problem mainly affected the Windows version of the VoIP application and to mount an attack, a hacker would need local access to the login screen of a running Skype instance.
He said that the vulnerability targets the fact that Skype instance contains an embedded Internet Explorer browser used for authentication purposes. An attacker can circumvent the normal authentication process and abuse the login via Facebook function to fingerprint the Internal Browser (IE), execute code in the context of the Skype process, phish credentials, and over communication traces.
“More advanced attacks can use valid exploits of Internet Explorer running inside Skype, to crash Skype and cause code execution of malicious code on the underlying operating system in an attempt to perform local privilege escalation attacks,” said Alexandros.
He added that any system using Skype Client 220.127.116.11 and older versions that allow Facebook Login as an option are vulnerable. “Systems that use Skype and are publicly reachable like info kiosks or smart TV appliances, are particularly more attractive than local private systems (PCs) in order to be used for phishing attacks,” he warned.
The researcher also uploaded a video showing a proof of concept where code can be taken from Facebook's developer site from inside Skype and crash the app. A hacker could also replace the login with a fake one to phish for a victim's credentials.
After alerting Microsoft to the problem, the company released a patch to fix the problem on 24 March.
Oliver Pinson-Roxburgh, EMEA director at AlertLogic, told SC Magazine UK that the issue was bad, “because it allows you to get access to malicious tools”.
“Phish users do all sorts through the Facebook developer tools. If the attacker has access to a restricted terminal they can use this flaw to extend access by browsing to exploit kits or download tools,” he said.
“In addition, you could steal local credentials through phishing using this to trick the user. The other key thing is that a lot of this would look like just normal Skype activity.”
Matan Hart, security researcher at CyberArk Labs, told SC Magazine UK that in many ways, the "Spyke" attack vector has limited power.
“It requires the attacker to have already gained access to the victim's system, and the attack surface is restricted to the context of the Skype app. However, if Skype is running under administrative credentials this could lead to an effective local privilege escalation. This means attackers could move laterally through the target network to get to a business's highest value assets and cause irreparable damage,” he said.