O investigado Florian Kunushevci descobriu uma vulnerabilidade que permite que um atacante local não autenticado visualize as fotos e contactos, e também abra links no web-browser da vítima.
“Skype Android Authentication Bypass
-> View pictures & albums at the victim phone
-> View Contacts inside the phone (Numbers + Names)
-> Access Browser
A new vulnerability that I found on Skype has been fixed that affected millions of android devices around the world that uses Skype. Thew new update you will find from 23 December 2018. ” wrote the expert.
Um dispositivo bloqueado não deve permitir que um utilizador aceda às fotos e contatos sem uma autenticação prévia.
Foi possível explorar esta falha porque o investigador descobrir um erro de código, e que lhe confere a posssibilidade de aceder as fotos, contactos mas também enviar mensagens.
A falha também permite o lançar o navegador no dispositivo Android. O atacante só precisa enviar uma mensagem do Skype contendo um link e, em seguida, clicar no link.
A falha parece afetar todos os dispositivos Android que executam uma versão vulnerável do Skype. A app deve ser atualizada para a sua última versão.
One day I got a feeling while using the app that there should be a need to check a part which seems to give me other options than it should. Then I had to change the way of thinking as a regular user into something that I can use for exploitation. For the specific bug that I have found on Skype, it is more of a bad design and also a bug in coding. I think to put it all together, humans make mistakes.
– Florian Kunushevci
Pedro Tavares is a professional in the field of information security working as an Ethical Hacker/Pentester, Malware Researcher and also a Security Evangelist. He is also a founding member at CSIRT.UBI and Editor-in-Chief of the security computer blog seguranca-informatica.pt.
In recent years he has invested in the field of information security, exploring and analyzing a wide range of topics, such as pentesting (Kali Linux), malware, exploitation, hacking, IoT and security in Active Directory networks. He is also Freelance Writer (Infosec. Resources Institute and Cyber Defense Magazine) and developer of the 0xSI_f33d – a feed that compiles phishing and malware campaigns targeting Portuguese citizens.
Read more here.