Skype For Mac Includes Well Lubricated Back Orifice

Posted on by

Lending further credence the working theory that USG.MSFT is at best avoided, a backdoor in Skype for Mac OSX was recently revealed by Trustwave SpiderLabs (archived). The hole – an authentication bypass – allows any program identifying itself as "Skype Dashbd Wdgt Plugin" to attach to the Skype Desktop API, making it trivial for the attacker to access notifications and contents of incoming messages, modify messages, create chat sessions, retrieve contacts, and log and record Skype call.

The code for this game of doppleganger is no more complicated than :

  NSDistributedNotificationCenter *defaultCenter =
        [NSDistributedNotificationCenter defaultCenter];
  [defaultCenter postNotificationName:@"SKSkypeAPIAttachRequest"
                 object:(__bridge NSString *) CFSTR("Skype Dashbd Wdgt Plugin")];

Mac OSX Skype users for versions from at least the last 5 years are affected. Users are advised to upgrade to Anything But Microsoft (™).

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>