Samker's Computer Forum - SCforum.info

Security Software Armory: => Anti-Virus (Security Suite) => Mobile Phone Security => Topic started by: Samker on 16. April 2011., 19:46:41

Title: Serious vulnerability in Skype version for Android
Post by: Samker on 16. April 2011., 19:46:41
(http://1.bp.blogspot.com/-XTYoFbRh3uY/TVwy_dHZmzI/AAAAAAAAAFE/M1g9-b-Wrno/s250/skype%2BAndroid.jpg)

According to a post at Android Police: http://www.androidpolice.com/2011/04/14/exclusive-vulnerability-in-skype-for-android-is-exposing-your-name-phone-number-chat-logs-and-a-lot-more/ (http://www.androidpolice.com/2011/04/14/exclusive-vulnerability-in-skype-for-android-is-exposing-your-name-phone-number-chat-logs-and-a-lot-more/) , confirmed by Skype, the Android version of the popular VoIP app exposes extensive user data: http://blogs.skype.com/security/2011/04/privacy_vulnerability_in_skype.html (http://blogs.skype.com/security/2011/04/privacy_vulnerability_in_skype.html)

The Android Police report says user IDs, phone numbers, chat logs, and other data is exposed by the vulnerability.

User data is stored unencrypted in sqlite3 databases, and Skype for Android uses improper permissions for these databases. The user ID is stored in a static location, so once it is read, it allows access to these internal databases.

A rogue application is able to access the Skype databases, getting everything from stored user details through to chat logs. Justin Case, who published the vulnerability, has also published a proof-of-concept exploit.

(ElReg)