Vulnerability in Skype for Android Exposes User Data

A vulnerability in Skype for Android allows an unauthenticated attacker to view photos and contacts, and even open links in the browser, a security researcher has discovered.

Found by Florian Kunushevci, a 19-year-old researcher from Kosovo, the vulnerability requires for the attacker to have physical access to the target device. Next, they would need to receive a Skype call and answer it, which would then allow them to access user data even if the device is locked.

Normally, with the device locked, a user should not have access to data such as photos and contacts without authenticating with a password, a PIN, a lock-screen pattern, or a fingerprint.

Kunushevci, however, discovered that a code error in Skype for Android led to the application not following the rule, thus providing an attacker with the possibility to access photos, view contacts, and even send messages without having to authenticate first.

Furthermore, the young security researcher discovered that it was also possible to launch the browser on the device, straight from Skype. For that, the attacker would only need to type a link in a new message, send the message, and then click the link.

The security researcher discovered the vulnerability in October and reported it to Microsoft immediately. The company responded fast and addressed the issue in a new version of Skype released on December 23.

According to Kunushevci, the vulnerability likely impacts all Android devices using a Skype version without the patch (the app version differs depending on the Android iteration running on the device).

A video demonstrating the lockscreen bypass can be seen embedded below.

Related: Microsoft Rolls Out End-to-End Encryption in Skype

Related: Vulnerability in Chrome for Android Patched Three Years After Disclosure