[cryptography] skype backdoor confirmation
adam at cypherspace.org
Thu May 16 15:52:24 EDT 2013
So when I saw this article
I was disappointed the rumoured skype backdoor is claimed to be real, and
that they have evidence. The method by which they confirmed is kind of odd
- not only is skype eavesdropping but its doing head requests on SSL sites
that have urls pasted in the skype chat!
Now I've worked with a few of the german security outfits before, though not
Heise, and they are usually top-notch, so if they say its confirmed, you
generally are advised to believe them. And the date on the article is a
couple of days old, but I tried it anyway. Setup an non-indexed
/dev/urandom generated long filename, and saved it as php with a
meta-refresh to a known malware site in case thats a trigger, and a passive
html with no refresh and no args. Passed a username password via
?user=foo&password=bar to the php one and sent the links to Ian Grigg who I
saw was online over skype with strict instructions not to click.
To my surprise I see this two entries in the apache SSL log:
220.127.116.11 - - [16/May/2013:13:14:03 -0400] "HEAD /CuArhuk2veg1owOtiTofAryib7CajVisBeb8.html HTTP/1.1" 200 -
18.104.22.168 - - [16/May/2013:14:08:52 -0400] "HEAD /CuArhuk2veg1owOtiTofAyarrUg5blettOlyurc7.php?user=foo&pass=yeahright HTTP/1.1" 200 -
I was using skype on ubuntu, my Ian on the other end was using MAC OSX. It
took about 45mins until the hit came so they must be batched. (The gap
between the two requests is because I did some work on the web server as the
SSL cert was expired and I didnt want that to prevent it working, nor
something more script like with cgi arguments as in the article).
Now are they just hoovering up the skype IMs via the new microsoft central
server architecture having back doored skype client to no longer have
end2end encrption (and feedind them through echelon or whatever) or is this
the client that is reading your IMs and sending selected things to the
btw their HEAD request was completely ineffective per the weak excuse
microsoft offered in the article at top my php contained a meta-refresh
which the head wont see as its in the html body. (Yes I confirmed via my
own localhost HTTP get as web dev environments are automatic in various
So there is adium4skype which allows you to use OTR with your skype contacts
and using skype as the transport. Or one might be more inclined to drop
skype in protest.
I think the spooks have been watching "Person of Interest" too much to think
such things are cricket. How far does this go? Do people need to worry
about microsoft IIS web servers with SSL, exchange servers?
You do have to wonder if apple backdoored their IM client, below the OTR, or
silent circle, or the OS - I mean how far does this go? Jon Callas said not
apple, that wouldnt be cool, and apple aims for coolness for users; maybe he
should dig a little more. It seems to be getting to you cant trust anything
without compiling it from source, and having a good PGP WoT network with
developers. A distro binary possibly isnt enough in such an environment.
More information about the cryptography