Topic: Serious vulnerability in Skype version for Android

[Samker]

According to a post at Android Police: http://www.androidpolice.com/2011/04/14/exclusive-vulnerability-in-skype-for-android-is-exposing-your-name-phone-number-chat-logs-and-a-lot-more/ , confirmed by Skype, the Android version of the popular VoIP app exposes extensive user data: http://blogs.skype.com/security/2011/04/privacy_vulnerability_in_skype.html

The Android Police report says user IDs, phone numbers, chat logs, and other data is exposed by the vulnerability.

User data is stored unencrypted in sqlite3 databases, and Skype for Android uses improper permissions for these databases. The user ID is stored in a static location, so once it is read, it allows access to these internal databases.

A rogue application is able to access the Skype databases, getting everything from stored user details through to chat logs. Justin Case, who published the vulnerability, has also published a proof-of-concept exploit.

(ElReg)