Une porte dérobée dans Microsoft Skype sur Mac OS X ?

L'actualité & News Informatique!
Donc pas de demande d'aide dans cette partie.

Une porte dérobée dans Microsoft Skype sur Mac OS X ?

par ѠOOT »

Trustwave recently reported a locally exploitable issue in the Microsoft Skype Desktop API Mac OS-X which provides an API to local programs/plugins executing on the local machine. The API is formally known as the Desktop API and it enables third-party applications to communicate with Microsoft Skype.

As described in the Trustwave advisory, the issue is an authentication by-pass discovered in the API whereby a local program could by-pass authentication if they identified themselves as the program responsible for interfacing with the Desktop API on behalf of the Microsoft Skype Dashboard widget program.

A Backdoor?

An interesting possibility is that this bug is the result of a backdoor entered into the Desktop API to permit a particular program written by the vendor to access the Desktop API without user interaction. Indeed, this possibility seems even more likely when you consider that the Desktop API provides for an undocumented client name identifier (namely "Skype Dashbd Wdgt Plugin").

Notifying the user of Desktop API through the backdoor works differently than the normal course of action which is to notify the user of an access attempt and prompt the user for permission. In the case of the backdoor no such notification attempt is made and as such the user is not given the opportunity to deny access. Furthermore, no mention is made in the "Manage API Clients" list. This allows any program accessing the Desktop API through the backdoor to remain hidden from the user.

Finally, no attempts are made to determine what programs that are accessing the Desktop API since they identify themselves as the undocumented client name identifier "Skype Dashbd Wdgt Plugin". This opens up the potential for abuse by third-party programs, including malware, running locally on the machine.

An unused backdoor?

Curiously, the actual Microsoft Skype Dashboard widget does not seem to utilize the backdoor into the Microsoft Skype Desktop API despite the name "Skype Dashbd Wdgt Plugin". This raises the possibility that the backdoor is the result of a development accident which left the code behind accidentally during the process of implementing the Dashboard plugin. If it was a coding accident, it is an old one. Our investigations have shown that the string "Skype Dashbd Wdgt Plugin" has been present in versions of Microsoft Skype for Mac OS-X for some 5 years !

Discontinued, but not forgotten

The Desktop API is being discontinued and gradually phased out of the Microsoft Skype application across all platforms. However, the original Desktop API was text based and documentation.

What can you access?

The Desktop API, in previous versions, permitted access to nearly everything that Microsoft Skype can offer. This included, but was not limited to: notifications of incoming messages (and their contents), modifying messages and creating chat sessions, ability to log and record Microsoft Skype call audio to disk and retrieve user contacts. In later versions of the Desktop API, access to text messages was dropped from the specification but access to other features remained.

How easy is the backdoor to use?

Accessing the backdoor is as easy as changing a single line of code..

2011 - Microsoft fait l'acquisition de Skype ( avec ses + 170 millions d'utilisateurs )
2016 - Découverte d'une possible porte dérobée vieille de 5 ans sur Skype Mac OS X
  • Sujets similaires
    Dernier message

Revenir à « Actualité & News Informatique »