Privacy: another reason to avoid Skype
Some time ago we drew attention to the possible eavesdropping problems in using Skype, which is now owned by Microsoft (news passim). This has now been confirmed by German technology news website, Heise.
Anyone who uses Skype, has agreed that Skype may also read too. Heise Security has found out that Microsoft actually avails itself of this right. At the very least https URLs sent via the chat interface receive an unannounced visit from Redmond some time later.
Heise was alerted to this by a reader who pointed out that unusual network traffic was reported after a Skype chat with colleagues. The server logs pointed to a possible replay attack. As things turned out, a Redmond IP address had accessed the https URLs that had previously been sent. The Heise Security re-enacted the situation, sending each other URLs: one of the test https URLs contained login information; the other pointed to a private file sharing cloud service. A few hours after posting the team spotted the following in the the server log files:
18.104.22.168 - - [30/Apr/2013:19:28:32 +0200] "HEAD /.../login.html?user=tbtest&password=geheim HTTP/1.1"
Heise Security too had received a visit from an IP address registered to Microsoft.
When challenged about this behaviour, the company asserted that messages are scanned to filter out links to spam and phishing pages. However, the facts do not support this assertion: spam and phishing sites don’t normally lurk behind https URLs and Skype didn’t touch those. Furthermore, Skype is sending out head requests, which only the server’s retrieve administration data. Skype would have to examine the content of pages to investigate web pages for spam or phishing.
Heise’s conclusion is that anyone who uses Skype must only agree that Microsoft can use all the data transferred almost as it feels inclined to do. It must be assumed that this actually occurs and that the company will not reveal exactly what it is doing with this data.
Readers are therefore advised for the security of their own data to switch their communications to a client using the open source XMMP (formerly known as Jabber) protocol and free chat programs that support it.