Vulnerability in Skype could have enabled hackers to bypass authentication methods and access personal data on an Android device by simply responding to a Skype call. The gap that security researcher Florian Kunushevci revealed last week was patched earlier in December by Microsoft, which owns the telecommunications platform Skype. “A new vulnerability has been fixed that affects millions of android devices worldwide that use Skype,” Kunushevci said last week in a LinkedIn post about the bug. “[The] new update you’ll find from 23 December 2018.”
Kunushevci said that a hacker would just have to steal an Android device, place a Skype call on that device and respond to that call. After that, the bad actor could view a range of typically authenticated information via the Skype platform without unlocking the screen–including pictures and albums, contact details, browsers and apps. The attack was demonstrated by Kunushevci through a video of proof of concept (below). The problem is a Skype problem instead of an Android problem, Kunushevci said. On October, he reported the bug to Microsoft. 22 Since then, it was patched as part of Dec. 23 Update Skype. Microsoft did not immediately respond to a Threatpost request for comment. Vulnerabilities of authentication bypass continue to plague even safer manufacturers of phones. While these types of defects have disadvantages–in most cases the hacker needs physical access to the affected device–many are incredibly easy to perform. In September, it was found that passcode bypass vulnerability in Apple’s iOS version 12 allowed attackers to access photos and contacts on locked iPhone XS phones and other devices (including phone numbers and emails). The hack allowed a physically accessible iPhone to bypass the passcode authorization screen on iPhones running the latest iOS 12 beta and iOS 12 operating systems on Apple. In 2016, theiOS versions 8, 9 and 10 of Apple revealed a vulnerability that could allow an attacker to access photos and contacts on a locked iPhone.