[VOIPSEC] FYI - iSkoot's exposure of Skype credentials over the weekend (now resolved)
Dan York
dyork at voxeo.com
Mon Apr 28 12:27:17 CDT 2008
VOIPSEC readers,
FYI, if you haven't been following the issue, over the weekend Dameon
Welch-Abernathy, a.k.a. PhoneBoy, discovered that the iSkoot program
that enables Skype usage from mobile phones was passing Skype user
credentials in the clear. I put up a blog post on the VOIPSA blog
which has been tracking the various posts, statements and other
aspects of the case:
http://voipsa.org/blog/2008/04/26/are-your-skype-username-and-password-completely-exposed-if-you-use-iskoot/
Over the course of the weekend, it turned out that a development/pre-
production release of the Symbian version of iSkoot was put up on
their site and this version did not have SSL encryption enabled. The
other versions of the iSkoot product for Blackberry, Windows Mobile,
etc. were NOT affected by this. The bad version has been pulled down
and a new version will be pushed shortly to all Symbian devices.
iSkoot has issued a formal statement that I comment on here:
http://voipsa.org/blog/2008/04/28/iskoot-disclosure-of-skype-credentials-resolved-new-version-by-wednesday/
The issue Dameon discovered will therefore soon be resolved.
Overall, it was an interesting process this weekend (which I
chronicled here: http://voipsa.org/blog/2008/04/28/chronology-of-the-blogosphere-and-iskoot-weekend-response-to-the-iskoot-security-issue/
). Dameon and I spoke this morning and he did say that he realized
after posting that he really did inadvertantly announce a "zero day"
vulnerability in iSkoot's product. He was NOT doing security research
at the time but was rather writing up a comparison of iSkoot to
Skype's new "Skype for Mobile" product. During the course of
researching the two products to write his comparison, he realized that
iSkoot was sending everything in the clear... and promptly wrote that
up. Dameon acknowledged that a better process would have been to
contact the vendor directly and work with them first. Although to be
honest there was no apparent security contact process at iSkoot and "security at iskoot.com
" did not work as an email address. The process might have been long
for Dameon.
In the end, it all worked out well in this case. iSkoot responded
quickly and a serious potential exposure of information is now on the
way to being closed. Kudos to Dameon, the iSkoot team and all involved
for bringing about the quick resolution.
Regards,
Dan
--
Dan York, CISSP, Director of Emerging Communication Technology
Office of the CTO Voxeo Corporation dyork at voxeo.com
Phone: +1-407-455-5859 Skype: danyork http://www.voxeo.com
Blogs: http://blogs.voxeo.com http://www.disruptivetelephony.com
Build voice applications based on open standards.
Find out how at http://www.voxeo.com/free
More information about the Voipsec
mailing list