Microsoft’s Skype is an extremely popular VoIP/video conferencing tool that is used by both individuals and business organizations, but with over 300 million users, the security risks affecting it have an even bigger impact.
According to Solutionary’s May Threat Report, the fact that Skype keeps personally identifiable information, alongside chat transcripts in an unencrypted file on the local system, makes users vulnerable.
What does this mean? It means that anyone that has the knowledge and skill to hack a Skype user can easily get access to personal information without actually having to hack into Microsoft’s servers.
The file that concerns Solutionary was named main.db, a clear indicator as to what the document holds. It can be found on:
- C:\Users\Username\AppData\Roaming\Skype\SkypeName on Windows
- /Users/user/Library/Application Support/Skype/SkypeName on Mac
- /home/user/.Skype/SkypeName on Linux.
On Windows and Linux, the locations are hidden by default, but that doesn’t mean anything to someone who knows their way around a computer and it will certainly not prevent an attacker from locating the files they want.
As the IT security company points out, no one, especially not a company the size of Microsoft, should trust its users’ security in the hands of a system obscurity feature.
When the file is collected, it can be opened with SQLite since it is completely unencrypted. Inside, there’s a long list of tables such as Accounts, Alerts, Calls, ChatMmebers, Contact, DBMeta, Messages, Participants, SMSes, VideoMEssages, Videos and Voicemails, to name just a few.
Basically, it’s the main database file for Skype functions, which makes it pretty easy to infer what kind of information is stored in most of the tables. Hackers can gain access to the users’ full name, birth date, country, city, email address, phone numbers and even the complete chat transcript.
“The details above are stored both about the direct user and any contacts that they may have in Skype. All of this could represent valuable information to an attacker. Additionally, the plain text and simple location make it an easy task for anyone, even without administrator access, to extract the database’s information. Of course, this does indicate a larger issue, such as that the file system is compromised in another fashion,” reads the security research.
Users are advised to use an alternate, more secure program, such as Citrix. There’s also the option of using full-disk encryption to make sure the data remains secure. Deleting the database each time the program is closed should work as well, but it’s a process that takes time and it can be quite annoying. Furthermore, while the program is running, users are still vulnerable.