Skype Glitch Allowed Android Authentication Bypass

A glitch allowed hackers to access contacts, photos and more on Android devices – simply by answering a Skype call.

A Skype vulnerability could have allowed hackers to bypass authentication methods and access personal data on an Android device – simply by answering a Skype call to that device.

The glitch, which was disclosed by security researcher Florian Kunushevci last week, was patched earlier in December by Microsoft, which owns the Skype telecommunications platform.

“A new vulnerability that I found on Skype has been fixed that affected millions of android devices around the world that uses Skype,” Kunushevci said in a LinkedIn post about the bug last week. “[The] new update you will find from 23 December 2018.”

Kunushevci said a hacker would simply need to steal an Android device, place a Skype call to said device, and answer that call.

After that, without unlocking the screen the bad actor would be able to view an array of typically authenticated information through the Skype platform – including pictures and albums, contact details, browsers and apps. Kunushevci demonstrated the attack via a proof-of-concept video (below).

The issue is a Skype issue rather than an Android issue, said Kunushevci. He first reported the bug to Microsoft on Oct. 22 and it has since been patched as part of the Dec. 23 Skype update.

Microsoft did not immediately respond to a request for comment from Threatpost.

Authentication bypass vulnerabilities continue to plague even the more secure phone manufacturers. While these types of flaws have drawbacks – in most cases a hacker needs physical access to the impacted device – many are amazingly simple to carry out.

In September, it was discovered that a passcode bypass vulnerability in Apple’s iOS version 12 allowed attackers to access photos and contacts (including phone numbers and emails) on locked iPhone XS phones and other devices. The hack allowed someone with physical access to a vulnerable iPhone to bypass the passcode authorization screen on iPhones running Apple’s latest iOS 12 beta and iOS 12 operating systems.

In 2016, a vulnerability in Apple’s iOS versions 8, 9, and 10 was disclosed, which could allow an attacker to access photos and contacts on a locked iPhone.

Suggested articles

Discussion

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.