Mac and Skype: Intersection Provides for a Backdoor

Skype is a well-used and accepted application used to communicate, for consumers and commercial purposed, with a combined auditory and visual factors. This is used to catch up with friends or have a business meeting. Recently an issue was noted. There is a backdoor that was noted in the Skype app as used with Apple’s Mac OS and Mac OSX. This could be used to monitor the user’s activities and communications. This would be done without the knowledge of either party on the call. The backdoor was found in the desktop API. This has been present since approximately 2010.

Unfortunately, the vulnerability is easily exploited. The attacker simply has to change a text string to “Skype Dashbd Wdgt Plugin”. This identifies the attacker as a Skype Dashboard widget program. At this point, the attacker would have access to the user’s Skype account. This access allows the attacker to read notifications of the incoming messages, reading the messages, alter the messages, record Skype the call’s audio, and other functions.

All is not lost. There is a patch available to remove the exploit, which should be deployed.

About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.