Skype Profile info left vulnerable to malicious applications

Skype vulnerability

Skype on Friday issued a public response to a security issue uncovered recently that leaves some profile and message information open and vulnerable to malicious applications. Uncovered by Android Police, the vulnerability deals with the way the Skype Android application stores some personal information, making your profile information -- and your Skype contacts' profile information (among other bits of Skype data) -- easily found and scraped by any application that wants to. Skype, on its blog, has said:

It has been brought to our attention that, were you to install a malicious third-party application onto your Android device, then it could access the locally stored Skype for Android files.

These files include cached profile information and instant messages. We take your privacy very seriously and are working quickly to protect you from this vulnerability, including securing the file permissions on the Skype for Android application.

To protect your personal information, we advise users to take care in selecting which applications to download and install onto their device.

That's a fairly serious hole, and it's good that it was discovered, reported and is being fixed. So have you been in any danger all this time? Possibly, but you would have had to have installed a malicious application that knew to run this exploit in the first place. Chances of that are fairly low, but not out of the question. And it's important to remember that we're talking about Skype data, not the full contacts list on your phone. That doesn't mean it's not a gaping hole that needs to be closed; but neither are we worried about the sky falling. Be careful what you download, folks. [Skype, Android Police]


Reader comments

Skype responds to report of security hole


Thanks @philnickinson for recommending to clear my cookies ( ones) so I would stay logged in.

Now does anyone know which malicious apps are doing this?

Screw Skype and their crippled Android client. No calling over 3G in the U.S. is bullshit. I have an early hacked version of the client that allows it and the voice quality is perfect. None of the newer versions were hacked, though.

I find Skype's response lacking and true sincerity. They are putting the blame on the end user, clearly stating if you "installed malicious software", well Skype appears to be "installed malicious software" to me. How does a communications company leave their application wide open to vulnerabilities and then put the blame on the users. They clearly failed to test it and fix it way before it launched in October 2010, that is 6 months ago.

Skype should be pulling their app from the market until they fix the problem, Google should remove it as well. Security is key today and I just removed Skype from our computers and my TB until its fixed.