How the Skype vulnerability repaired

The short answer is: they don't care.

The article describes my unsuccessful attempts to convince Microsoft employees that their service is vulnerable, as well as the humiliation that Skype users have to endure. Under the cut ignorance, pain and despair.

UPD

Article in English hub.zhovner.com/geek/how-skype-fixes-security-vulnerabilities/
')
Post on HackerNews news.ycombinator.com/item?id=13227480

TL; DR:

• Anyone can block your account forever so that you can no longer use it. For this it is enough to know only the name of the account. In most cases, Skype will deny you the restoration of access. Microsoft has known about this problem for several years.
  
  
• The mechanism for generating eight-digit one-time authentication codes (Microsoft Security Code), which are used to recover a password to a Microsoft account, is vulnerable. The attacker can guess the code.
  
  
• Skype support is vulnerable to social engineering attacks. Microsoft considers this normal.
  
  
• Skype support does not know what is actually happening with your account, and why it is blocked. In any case, you will receive a standard response that your account has been blocked for violating the rules, even if the account has been deleted by your request.
  
  
• Skype still reveals your IP address, including the local one (the one on the network interface). In some cases, it is possible to open contacts connected to the same external IP address as you. For example, family members connected to a home router.
  
  
• An attacker can hide the active session from the list of authorized clients ( / showplaces command ) using old versions of the SDK. Thus, knowing the password, you can imperceptibly view the correspondence of the victim.

About me

I have been using Skype for about ten years. Previously, I could call myself a true Skype fanboi.
When the jira.skype.com public bug tracker was available, I was actively trying to improve Skype, reporting bugs.

For example, SCW-2778 Remote DoS exploit. This vulnerability allowed to remotely bring down the desktop version of Skype for Windows so that the program could not start without clearing the history.

Or SCW-3328, which allowed you to remotely turn off a microphone during a call.

Even then, Skype was wary of his approach to fixing bugs. I had to literally beg the developers to fix the problem, which they could not fix for years! Here is how it looked.

I used all Skype products, tools for developing Skype4Com, Skypekit. I bought premium subscriptions. Promoted at work the idea to buy Skype For Business. I wrote bots, a service for generating my own smiles , etc.

But today I can say that I truly hate Skype. This is a disgusting service, steeped in bureaucracy and ignorance of employees, completely ignoring problems and busy only with the creation of 3D Sms. Today, Skype is not just not secure, it is a threat to users , because its security mechanisms do not work.

Chronology of events

For several years now, there have been vulnerabilities leading to the blocking of a random Skype account. Several of them, they are actively used by attackers and provide as a service.

I used to write a lot about Skype vulnerabilities, and the victims of locks, who found me through a search, began to contact me.

I have seen different cases of blocking Skype accounts. I tried to help people regain access and begged Skype to do something about it.

Usually these were blocking through mass complaints. This is a long-known method that has existed for many years. He is so old that he became a part of the children's subculture, leading the war with each other in Skype. But over the past year, something glaring has happened, about which I cannot be silent.

Method 1 - abuses (classic)

In Skype, the account is automatically blocked if it receives a sufficient number of complaints from other users. Presumably, more than 20 pieces.

In order to send a complaint, you do not even need to add an account to the contact list, you can do this by finding an account through a search and clicking on "block → report a violation."

Thus, the victim may not be aware of the complaints sent to her.

This technique for many years. They wrote about it on Habré , even children who are gathered in groups for joint wrapping complaints know about it.

Here, for example, found a cursory search on vk.com:

vk.com/block_pidaram_skype
vk.com/skype_delete
vk.com/blacklistskype
vk.com/blockskyp
vk.com/eds_snos
vk.com/club58649499
vk.com/club49404483

There are many such communities in Skype itself. There is even a separate subculture of "drivers". Usually these are children of 12-19 years old, who are united in clans. The essence of their activity is the maximum damage to the opponent, which is chosen randomly.

The main battles take place in the form of verbal duels in group calls. The point is to humiliate the interlocutor as much as possible in a short period of time and record it on video.


Some clans of injection drivers release their proprietary software to automate malicious activities.

Demonstration of a program for mass distribution of complaints (Video) . It turns out the similarity of a botnet from its own contact list, which voluntarily abuses the sent accounts. Let me remind you that for the complaint you do not need to add the victim’s account to your contacts. That is, hundreds of schoolchildren may complain to you, with whom you have never communicated, and you will not know.

I personally know a dozen victims whose accounts have been deleted in this way. All calls to Skype support are answered with a standard unsubscribe:

I understand that your Skype account was blocked. I apologize for any inconvenience.

Via the Skype account. As a result, your account has been restricted and will remain restricted until further notice.

Transfer

I understand that your account has been blocked and I apologize for the inconvenience. I will be MORE THAN HAPPY to see how I can help.

Our automatic system has determined that you are a schmuck and are breaking all the rules. Therefore, we deleted nafig your account, goodbye.

Guess if this vulnerability is currently fixed? Of course not!

Lock through technical support

In the fall of 2015, I began to write people who suffered from a new type of attack. This time, before blocking the account, the victim received letters from Microsoft with an eight-digit code. The letters were sent from the mailbox verifyme@microsoft.com and had the correct DKIM signature, that is, they were exactly from Microsoft.



After conducting our own investigation with friends, we found the perpetrator of the attack. All the forums for juvenile kulkhackers were filled with his ads.

Here are his details:

ICQ: 676061500
Skype: alaaasddsa1.as
Jabber: block_service@xmpp.jp

:



, , .
:

• , . .
• - .

Skype .

Microsoft Security Code, .

10 24 . , .

, , .
, .

Microsoft Support Code: 41917837 Fri, 26 Feb 2016 04:25:54 -0800 (PST)
Microsoft Support Code: 14793784 Fri, 26 Feb 2016 04:27:32 -0800 (PST)
Microsoft Support Code: 58837293 Sat, 27 Feb 2016 03:29:18 -0800 (PST)
Microsoft Support Code: 68871688 Sat, 27 Feb 2016 03:29:33 -0800 (PST)
Microsoft Support Code: 38424446 Sat, 27 Feb 2016 03:30:33 -0800 (PST)
Microsoft Support Code: 25068066 Sat, 27 Feb 2016 03:35:39 -0800 (PST)
Microsoft Support Code: 27311897 Sat, 27 Feb 2016 03:58:58 -0800 (PST)
Microsoft Support Code: 93194445 Sat, 27 Feb 2016 04:02:43 -0800 (PST)
Microsoft Support Code: 32506812 Sat, 27 Feb 2016 04:03:36 -0800 (PST)
Microsoft Support Code: 33627494 Sat, 27 Feb 2016 04:05:40 -0800 (PST)
Microsoft Support Code: 98350414 Sat, 27 Feb 2016 09:00:03 -0800 (PST)
Microsoft Support Code: 12437217 Sat, 27 Feb 2016 11:41:04 -0800 (PST)
Microsoft Support Code: 42078695 Sat, 27 Feb 2016 11:42:45 -0800 (PST)
Microsoft Support Code: 41321028 Sat, 27 Feb 2016 11:43:09 -0800 (PST)
Microsoft Support Code: 44964659 Sat, 27 Feb 2016 11:43:19 -0800 (PST)
Microsoft Support Code: 90692933 Sat, 27 Feb 2016 12:50:21 -0800 (PST)
Microsoft Support Code: 23696204 Sat, 27 Feb 2016 12:55:18 -0800 (PST)
Microsoft Support Code: 60212551 Sat, 27 Feb 2016 12:55:25 -0800 (PST)
Microsoft Support Code: 81725942 Sat, 27 Feb 2016 12:58:04 -0800 (PST)
Microsoft Support Code: 29172590 Sat, 27 Feb 2016 14:26:54 -0800 (PST)
Microsoft Support Code: 28091548 Sat, 27 Feb 2016 14:30:38 -0800 (PST)
Microsoft Support Code: 55969586 Sat, 27 Feb 2016 14:54:21 -0800 (PST)
Microsoft Support Code: 12424717 Sat, 27 Feb 2016 14:57:59 -0800 (PST)
Microsoft Support Code: 36300450 Sat, 27 Feb 2016 14:58:16 -0800 (PST)

, , (, , ). . skype.com deleted@skype.com. .

:

• . , , .
• .
• . Skype- . .

, . , Microsoft Security Code. , . , , , , , :


.

Live Chat Support, . skype.com, . « », .

https://sales.liveperson.net. , , .

. :

1. : «, accountname, .
2. , , , . , .
3. , , . , .

, , skype.com. , , , . , .

, .

, Microsoft!

. Skype.
, ?

Skype - , . , .

Microsoft. , , . , . .

. Microsoft , .

secure@microsoft.com. . 24 . .

Microsoft Security Response Center:


: , .

, Microsoft, , . !!!.

, . - . , , . , , , , . , liveperson.net.

Skype liveperson.net, microsoft.com. - . , .

, , . .

—

, . Security Code , .

, . , .

, . zhovner . , , . .





— 2 ( $30). . , , .

Skype

Skype. , , .

: telegra.ph/Account-blocked-by-mass-abuse-reporting ( )
, , .

:

<> ? , .

<Skype> Skype.

<> , , . . , .

<Skype> , , . , . , , . — .

<> . .

<Skype> , , 100%

<> , , .

<Skype> . .

<> , ? , , , ? ? , -. , , . , . ? .

<Skype> , . .

<> . , . . , , , . , .

<Skype> , . , . , — . !

<> , ? …

<Skype> , .

, 15 . , . - , Skype , , .

, Skype — , - . , - .

, . , , , , .

, , .

, Skype, , .

, , , . - . , .

- - , .