A design flaw in Microsoft’s Skype app can be exploited to grant access to the data on your Android phone without passcode authentication, a researcher has shown.
Kosovo-based bug-hunter Florian Kunushevci demonstrates in the YouTube video below how Skype can be manipulated into accessing private data, including photos on the phone, without unlocking the handset. All one has to do is gain physical access to the phone and answer a Skype call on it. From there, the user can access contact information, as well as the photo gallery through the app’s file sharing function.
“One day I got a feeling while using the app that there should be a need to check a part which seems to give me other options than it should,” he explained to The Register. “Then I had to change the way of thinking as a regular user into something that I can use for exploitation.”
While the flaw could tempt a suspicious spouse to look through their partner’s phone, it is more of a design oversight than anything. Kunushevci himself tells the publication, “For the specific bug that I have found on Skype, it is more of a bad design and also a bug in coding. I think to put it all together, humans make mistakes.”
A responsible bug-hunter, Kunushevci alerted Microsoft to the bug and waited for the company to patch the bug before he disclosed it. That doesn’t mean it can’t still be exploited. Anyone who hasn’t updated their Android Skype app in over a month is at risk. Only the latest versions of Skype, issued December 23, are safe to use. And because Skype versioning differs between Android versions, everyone must be sure to be on a version number above over 220.127.116.116.