[VOIPSEC] "SkypeSkryping" and Google Voice findings by Secure Science
nnp
version5 at gmail.com
Tue Apr 14 19:52:07 CDT 2009
On Tue, Apr 14, 2009 at 10:15 PM, Diana Cionoiu
<diana-liste at voip.null.ro> wrote:
> Hello,
>
> Maybe i don't understand exactly what is this security issue all about, but
> from my understanding things are going like this.
> 1. Find valid Skype users
> 2. Send them a fake url to get them on your website. That means that the
> user doesn't have any antipishing software and is dumb enough to click on
> that website.
Erm... it's not exactly difficult to create an email that will avoid
anti-phishing software nor is it difficult to trick a user (dumb or
not) into clicking a link. Hell, if anti-phishing software worked and
users didn't click links then every PDF/Excel/Powerpoint/Word etc
exploit would also be a non-security issue.
> That also means that Skype will allow spam in their network
> which is not that common.
Eh?
>
> The same issues are shared by Amazon or other websites and are far more
> serious threats. So how is this Skype issue such a big issue?
By that reasoning we should just ignore all security issues that
aren't remote root vulnerabilities in whatever OS your most valuable
assets are stored on. It's an issue because it allows someone to
potentially make modifications to the communications tools used by
your CEO/other important person. I haven't tried to exploit this issue
but assuming it works, I would consider the ability to redirect
somebody's incoming calls pretty serious. Of course the actual impact
depends on who's calls you're redirecting and a whole array of other
considerations but the potential exists for a variety of
hilarious/nefarious hacks.
Cheers,
nnp
--
http://www.unprotectedhex.com
http://www.smashthestack.org
More information about the Voipsec
mailing list