lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 17 May 2013 00:41:09 +0300
From: Kirils Solovjovs <kirils.solovjovs@...ils.com>
To: full-disclosure@...ts.grok.org.uk
Subject: On Skype URL eavesdropping

You may have read about this in another list.
http://lists.randombit.net/pipermail/cryptography/2013-May/004224.html
http://financialcryptography.com/mt/archives/001430.html


I'd like to give out some observations and point out some not so obvious 
risks (as if Microsoft Skypyingâ„¢ on your conversations is not enough).

Requests always come from the same IP 65.52.100.214.
They have referrer and user agent set to a dash "-".
They are always HEAD requests which immediately follow 302 redirects.
They access both http and https links despite some speculations saying 
that they do it one way or the other.
This is a relatively new phenomena that by my accounts is happening 
since the end of April 2013.


Sidenote: A couple of years ago before acquisition by Microsoft, Skype 
expressed unhealthy level of interest in my work, so I decided to run a 
privacy test trying to catch them red handed. I set up some traplinks, 
but to this day noone has triggered them. Maybe it had to do with me 
using a Linux version of their client at that time...


Back to the point. Now that it's clear that [at least] links from users' 
private chats somehow magically end up at Redmond, it's obviously a 
privacy issue of having some usernames/password/sessions/whatever 
embedded in the URL.

But this also allows the sysad/webmaster to see when a link is shared on 
Skype. And with a little magic logic, to see the IP address(es) of 
people receiving that link.
To give you an example, I was able to learn that just around midnight of 
May 7 the paper 
http://kirils.org/skype/stuff/pdf/2011/ms_thesis_analysis.pdf was shared 
between a student of Chalmers University and a student of Comenius 
University via Skype (oh,the irony)

Who shared what when? Skype knows.



Now how about some trolling... er, I mean security implications for 
Microsoft themselves....

RewriteCond %{REMOTE_HOST}  65\.52\.100\.214
RewriteCond %{REQUEST_METHOD} HEAD
RewriteRule .* http://123 [R=302,L]

where 123 can be either one of:
1) an offensive url, e.g. goatse
2) a redirect loop
3) a CSRF to a local device, see 
http://nakedsecurity.sophos.com/2013/04/11/anatomy-of-an-exploit-linksys-router-remote-password-change-hole/


Kirils Solovjovs

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists