Vulnerabilities of the Skype API
With a landmark of six million concurrent online users set last month, Skype’s active user base is growing quickly. With many worms now targeting other IM platforms, it looks to be only a matter of time before Skype becomes targeted as an infection vector. The presence of functionally strong features in the Skype API makes it a prime target for malicious code.
Towards the end of last year, Skype introduced a programming API with the intention of fostering a growing development community. Applications providing useful add-ons to Skype functionality and many hardware interfaces had been springing up over the previous months. Hoping to make development for these programmers less painful, introduce new add-ons to the product, and ultimately increase their market share in the face of the threats from Google Talk and Yahoo IM talk services, the Skype API was launched to capitalize on developer interest.
The Skype API allowed for stand-alone applications to communicate directly with a running Skype process by way of Windows Messaging. The Skype API is split into two components: the Skype Phone API and the Skype Access API. The Phone API provides an interface to connecting devices such as USB phones. For our purposes, the Skype Access API is of much more interest.
The Skype Access API enables external applications to control certain Skype functions; for example, to place a call or to get a Skype user profile. As you can imagine, this makes the API a very powerful tool, so what’s stopping people using these features for malicious intent? Well, in this instance the Skype API explains that “In the interests of privacy and security, before an external application can take control, Skype pops up the name of the application to the user and asks if it is OK to allow access.” So, when an application attempts to make its connection to Skype, the user is presented with a pop-up window with the default “allow” option selected. However, a user can bypass authorisation by programmatically clicking “OK,” often barely noticing the window’s presence or the information provided.
Once connected to Skype by the API, attackers have access to all the key information related to the application. They can iterate through the contact list, saving information about each address book entry. They can view call and chat histories, place calls and start chat sessions and, conveniently, transfer files.
Skype has some security measures in place to prevent the spread of malware over their network. To send a file to a user, you must first be authorized by that user. This is indeed a good idea, and to bypass it attackers must revert to old-school social engineering. For example, messages sent from someone on your buddy list asking you to check out the latest Internet game. Messages from Skype_Admin_23124512 telling you to install the latest patch. Messages from someone with an attractive profile picture or Web site.
Another interesting feature of the Skype API is mapping sound input and output to and from files. We can set up a virtual audio cable to place a call, play a pre-recorded sound file, and hang up. This can be used by telemarketers or be used for social engineering before sending a file.
Many of the above means of abuse are inherent due to the commonly encountered communication messages requesting user input. Risks can be decreased using techniques like time-delayed "OK" boxes, but ultimately not completely eradicated. Users need to remember to use patience when installing and using Skype or any other software. They should ensure that they pay particular attention to the implications of installing add-ons to an existing application, as the risks may outweigh the benefits of the particular feature they are hoping to use. Remember to read and understand the notices that are displayed by the Skype API before you click “OK”; this will give you the opportunity to reassess any security concerns.