Skype for Android has a Nasty Vulnerability
Names, e-mail addresses, phone numbers, contacts, and chat logs are all reportedly ripe for the picking in Skype's Android app, thanks to a vulnerability that could affect millions of users.
Android Police's Justin Case discovered the vulnerability after downloading a leaked version of Skype Video and poking around. He then found the same exploit in Skype for Android, which has been available since October 2010. Skype Mobile for Verizon is not affected by the vulnerability.
Update: Skype has posted a statement on its blog confirming the vulnerability.
"We take your privacy very seriously and are working quickly to protect you from this vulnerability, including securing the file permissions on the Skype for Android application," the company said.
"To protect your personal information, we advise users to take care in selecting which applications to download and install onto their device."
The problem is that Skype keeps the user's profile information in a data directory with improper permissions, and stores the username in a static location. A malicious app, therefore, could parse out this data with a bit of code. Same goes for Skype's table of contacts and chats. The vulnerability doesn't expose passwords or financial information, just a wealth of personal data and private communications.
"Imagine if Google accidentally leaked all of your Google Talk logs along with your e-mail address, name, and phone number -- such a breach might a cause a mass user exodus, not to mention a federal inquiry," Case writes.
Those are serious allegations, and Skype says it's investigating. In the meantime, Case has uploaded a proof of concept to show how the vulnerability works.
This isn't Skype's first run-in with security issues. In 2008, users of Skype's "add video to chat" feature were subject to a programming error that briefly allowed attackers to run scripting code on the victim's computer, opening the door to malicious software. Skype plugged the hole a few weeks later. If Android users' data is indeed out in the open, hopefully a fix for the Android app won't take as long.