[VOIPSEC] "SkypeSkryping" and Google Voice findings by Secure Science

Diana Cionoiu diana-liste at voip.null.ro
Tue Apr 14 16:15:02 CDT 2009 

Hello,

Maybe i don't understand exactly what is this security issue all about, 
but from my understanding things are going like this.
1. Find valid Skype users
2. Send them a fake url to get them on your website. That means that the 
user doesn't have any antipishing software and is dumb enough to click 
on that website. That also means that Skype will allow spam in their 
network which is not that common.

The same issues are shared by Amazon or other websites and are far more 
serious threats. So how is this Skype issue such a big issue?

Diana

P.S. Security is important, I just failing to see the importance of this 
issue.

Shawn Merdinger wrote:
> On Mon, Apr 13, 2009 at 2:36 PM, nnp <version5 at gmail.com> wrote:
>   
>> Hrm, I should be a smartarse more often if it illicits such responses
>> ;-)
>>     
>
> Ha!  Smartarses always welcome, and thanks for the props :)
>
>   
>> Where did you hear about the Scapy/Skype stuff, I had a quick look
>> through the source and commit logs and couldn't find anything.
>>     
>
> See the Blackhat preso "Silver needle in the Skype" by Philippe Biondi
> http://www.blackhat.com/presentations/bh-europe-06/bh-eu-06-biondi/bh-eu-06-biondi-up.pdf
>
> Also, brief mention of importing into Skype made in Scapy v2.0.1 documentation
> http://dirk-loss.de/scapy-doc/usage.html
>
> One other harvesting resource I should have mentioned earlier is
> searching for the customised per user "SkypeMe" buttons folks can
> place on their Webpages.  See http://www.skype.com/share/buttons/  The
> buttons are interesting as status (online, offline, etc.) are
> reflected in the SkypeMe button.
>
> Oh, and the Skype user client search results will also return MySpace
> users with Skype in another tab in the results window, leading me to
> think there's some social networking site tie-ins to Skype perhaps
> worth looking into.
>
> Cheers,
> --scm
>
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>

More information about the Voipsec mailing list