Those innocent-looking apps in your smartphone can secretly spy on your communications or could allow hackers to do so.
Hard to believe, but it’s true.
Recently, Trustwave’s SpiderLabs analysts discovered a hidden backdoor in Skype for Apple’s macOS and Mac OS X operating systems that could be used to spy on users’ communications without their knowledge.
The backdoor actually resides in the desktop Application Programming Interface (API) that allows third-party plugins and apps to communicate with Microsoft-owned Skype — the popular video chat and messaging service.
Appeared to have been around since at least 2010, the backdoor could allow any malicious third-party app to bypass authentication procedure and provide nearly complete access to Skype on Mac OS X.
How an Attacker can Take Complete Control of Your Skype
The malicious app could bypass authentication process if they "identified themselves as the program responsible for interfacing with the Desktop API on behalf of the Skype Dashboard widget program."
Accessing this backdoor is incredibly easy. All hackers need to do is change a text string in apps to this value → "Skype Dashbd Wdgt Plugin," and the desktop API would provide access to sensitive features of Skype.
An attacker or any malicious program abusing this hidden backdoor could perform the following actions:Read notifications of incoming messages (and their contents)
Intercept, read and modify messages
Log and record Skype call audio
Create chat sessions
Retrieve user contact information
The researchers have also provided proof-of-concept Objective-C code that initiates the connection process without asking the user for permission for the process to attach to Skype:
The backdoor believes to have been created by a developer at Skype before Microsoft acquired the company and likely exposed more than 30 Million Mac OS X users.
Update Your Skype Installation Now!
Trustwave notified Microsoft of the vulnerability in October, and the company has patched the issue in Skype 7.37 and later versions.
Here’s what a Microsoft spokesperson said about the backdoor:
"We do not build backdoors into our products, but we do continuously improve the product experience [and] product security and encourage customers to always upgrade to the latest version."
Trustwave also speculated that the backdoor believed to have been accidently left in Skype "during the process of implementing the dashboard plugin," as the Skype dashboard widget does not appear to utilize it.
All versions of Skype for macOS and Mac OS X, including 7.35 version, are vulnerable. So users are strongly recommended to update their Skype installation as soon as possible.