Skype for Android vulnerability
A vulnerability has been discovered in Skype for Android that allows a third-party application to access your personal data.
Inside the Skype directory there is a directory with the same name as your Skype username. It is here in the sqlite3 database that Skype stores your contacts, profile data, messages and much more.
UPD :As correctly noted in the comments, all of the following is relevant for routine androids . After all , hapraponezer dpolishuk found that the vulnerability has a place to be on all devices, and not just rooted.
')
Skype mistakenly leaves this data in a completely free, unencrypted form, which allows third-party applications to read this data.
How can the left application find the right directory? In Skype, the username is stored in one permanent place, we can read this file and get the username and the path to the Skype database from there.
Of most interest is the file main.db. The account table contains data such as balance, full name, date of birth, city, country, all phones, e-mail, etc.
The Contacts table contains similar information for your contact list. Well, in the Chats table - guess yourself :)
It is worth noting that Skype for Android has been available since October 2010, which means that this vulnerability has been available all this time.
In the official response, Skype recommends being more selective when installing new applications. Translation from username Hoorsh :
based on Android Police
Yes, your data will be saved!
UPD : fixed .
Inside the Skype directory there is a directory with the same name as your Skype username. It is here in the sqlite3 database that Skype stores your contacts, profile data, messages and much more.
UPD :
')
# ls -l /data/data/com.skype.merlin_mecha/files/jcaseap
-rw-rw-rw- app_152 app_152 331776 2011-04-13 00:08 main.db
-rw-rw-rw- app_152 app_152 119528 2011-04-13 00:08 main.db-journal
-rw-rw-rw- app_152 app_152 40960 2011-04-11 14:05 keyval.db
-rw-rw-rw- app_152 app_152 3522 2011-04-12 23:39 config.xml
drwxrwxrwx app_152 app_152 2011-04-11 14:05 voicemail
-rw-rw-rw- app_152 app_152 0 2011-04-11 14:05 config.lck
-rw-rw-rw- app_152 app_152 61440 2011-04-13 00:08 bistats.db
drwxrwxrwx app_152 app_152 2011-04-12 21:49 chatsync
-rw-rw-rw- app_152 app_152 12824 2011-04-11 14:05 keyval.db-journal
-rw-rw-rw- app_152 app_152 33344 2011-04-13 00:08 bistats.db-journal
Skype mistakenly leaves this data in a completely free, unencrypted form, which allows third-party applications to read this data.
How can the left application find the right directory? In Skype, the username is stored in one permanent place, we can read this file and get the username and the path to the Skype database from there.
# ls -l /data/data/com.skype.merlin_mecha/files/shared.xml
-rw-rw-rw- app_152 app_152 56136 2011-04-13 00:07 shared.xml
# grep Default /data/data/com.skype.merlin_mecha/files/shared.xml
jcaseap
Of most interest is the file main.db. The account table contains data such as balance, full name, date of birth, city, country, all phones, e-mail, etc.
The Contacts table contains similar information for your contact list. Well, in the Chats table - guess yourself :)
It is worth noting that Skype for Android has been available since October 2010, which means that this vulnerability has been available all this time.
In the official response, Skype recommends being more selective when installing new applications. Translation from username Hoorsh :
Adrian Asher, head of information security at Skype : “We were told that when installing a third-party malicious application on our Android device, it can access the local data stored by the Skype for Android application.
These files include a cache of profile information and message history. We take your privacy very seriously, and we work hard to protect you from this vulnerability , including limiting access rights to local Skype files for Android.
To protect your personal information, we advise you to be more selective about which applications you download and install on your devices. ”
based on Android Police
Yes, your data will be saved!
UPD : fixed .
Source: https://habr.com/ru/post/117610/
All Articles