
A Backdoor in Skype for Mac OS X - finid
https://www.trustwave.com/Resources/SpiderLabs-Blog/A-Backdoor-in-Skype-for-Mac-OS-X/
======
dangerlibrary
Most generous interpretation: this could easily be an old, deprecated API in
an enormous, complicated codebase on an engineering team with high turnover.

~~~
gr3yh47
more realistic interpretation: Intentional backdoor for NSA programs as skype
has already been shown to be a part of.

[http://arstechnica.com/tech-policy/2014/12/newly-
published-n...](http://arstechnica.com/tech-policy/2014/12/newly-published-
nsa-documents-show-agency-could-grab-all-skype-traffic/)

~~~
Gaelan
If Skype wanted to give user data to the NSA, they would send it over from
their servers instead of implementing a backdoor that requires the NSA to
already already have software on the target's computer (at which point,
assuming they managed to get root, they could circumvent whatever protections
Skype was using anyway).

~~~
nkw
Big corporations are, by definition, large complex organizations. There is
legal, executive management, developers, ops, etc. Hypothesizing about their
actions as a singular entity can over simplify things. I don't know about the
specifics in the article, but as a general rule there are a number instances
where an intelligence agency may approach only a developer, an ops person, or
someone in legal to obtain what they want instead of showing up and serving
the corporate entity with a NSL. Saying the organization as a whole could
provide data exfiltration much more efficiently by other means, does not rule
out the possibility that other techniques could be used instead for various
non-technical reasons.

~~~
linkregister
Can you give an example of one of these instances? I've heard of this sort of
thing outside of the U.S. (James Bond bribes East German clerk to get the
microfilm), but I haven't heard of domestic agencies doing this in the U.S.

Isn't it already disclosed in the Snowden documents that Skype has received
NSLs?

~~~
imglorp
First of all, Skype is Microsoft. Second, they're well known to collaborate
already. If NSA wanted a Skype feed, they could have it server or client side.

[https://www.theguardian.com/world/2013/jul/11/microsoft-
nsa-...](https://www.theguardian.com/world/2013/jul/11/microsoft-nsa-
collaboration-user-data)

~~~
jlgaddis
Originally, and perhaps at the time this "backdoor" was created, Skype _wasn
't_ Microsoft.

Skype was around for along time before Microsoft bought it and changed its
architecture and design.

~~~
toyg
This. It could well have been a backdoor that predates the "superpeer" change
MS introduced right after acquisition. Skype was already under pressure from
European authorities at the time, to provide intercept capabilities; European
criminal networks (mafia etc) were early adopters and everybody knew it.

------
haddr
The backdoor aside, but using Skype seems to be a real pain recently. It used
to be something that offered unmatched quality and service, but with time
passing it is lagging behind. Skype on Mac OS X now starts like in 10 seconds
and even the shutdown takes 10-15 seconds (on SSD). Video calls are fine, but
the fans are quickly 100%. It's funny but the (long unmaintened) Linux skype
seems to be better at video calls.

This news only proves that the Skype codebase must be an unmanageable mess. I
can undetsrand that. But also it seems that MS is moving to the web version of
skype, in the meantime not taking care too much about the native clients.

~~~
nness
Skype for Business, the Lync replacement, is equally if not more of a mess.
You can break conference calls just by muting people.

------
hashhar
Calling this a backdoor is an extreme measure. I wasn't able to see any
working example, nor any responsible disclosure which seems bad.

Also, if somebody has the ability to run arbitrary code on your machine, I
would think that it's game over at that point - backdoor or not. This is not a
remote exploitable backdoor it seems.

~~~
hamburglar
This is unequivocally a backdoor, by definition. They backdoored their own API
for the benefit of their own plugin being allowed to run unauthenticated.

What we _can 't_ say is whether this is a backdoor created for nefarious
purposes. All we can say is that the backdoor exists and, if we accept that
authentication on this API is valuable, then it's an egregious violation of
security principles by effectively having some hardcoded credentials which
bypass a security layer.

You can wave it away as local-only and claim that if you have code running on
the box, it's already pwned, but this is rationalization: this backdoor
bypasses a layer of security that is otherwise present. Can an otherwise
unprivileged process (e.g. one from another user) call this API? The details
are not specified.

I tend to think this looks more like incompetence perpetrated a long time ago
and forgotten, but that doesn't make it any less of a back door.

~~~
sleepychu
> They backdoored their own API for the benefit of their own plugin being
> allowed to run unauthenticated.

Well, something with its name.

"Curiously, the actual Skype Dashboard widget does not seem to utilize the
backdoor into the Skype Desktop API despite the name "Skype Dashbd Wdgt
Plugin"."

~~~
hamburglar
Well, it seems obvious that some version of this plugin probably _used_ to use
this API and doesn't anymore.

------
campuscodi
Looks more like an ancient and unmaintained API. This is AV security-firm-hype
at its best.

------
klodolph
I've heard rumors that the Skype codebase is a giant mass of unmaintainable
code "approaching a singularity" and for this reason alone you wouldn't expect
it to be terribly secure. At one time I wondered if I was too paranoid for
adding another user account for the sole purpose of running Skype, but I no
longer wonder.

That and the fact that OS X security is not fantastic to begin with, and I
don't want anything weird showing up in screen sharing with job interviews
(say, in search history).

~~~
prdonahue
> That and the fact that OS X security is not fantastic to begin with.

Which OS do you use/prefer for better security?

~~~
klodolph
There's always a tradeoff. Windows and Linux can be locked down fairly well
but you usually end up wanting to install programs of dubious origin. High-
profile Linux distros with security-conscious maintainers are good choices,
like Fedora or Debian.

I wouldn't touch Arch with a ten-foot pole, a combination of disastrous design
decisions and maintainers that don't take reports of security vulnerabilities
in default package configurations seriously has really soured any love I had
for the distro once I got past the obnoxious fans and overtly hostile user
experience. Arch is the only distro where I've made bug reports for security
vulnerabilities and gotten asinine responses like "users should only install
this package on trusted networks."

~~~
AceJohnny2
Arch is really the Libertarian's distro. Caveat Emptor :)

------
milge
I thought it was already well-known and assumed Skype has backdoor(s) in their
software.

------
ryanlol
Super unlikely this is an intentional backdoor. OS X privesc vulns definitely
aren't nearly rare enough to come by to justify backdooring software like
Skype for local privesc.

------
bitmapbrother
This wouldn't be the first time Microsoft has worked with the NSA

[https://www.theguardian.com/world/2013/jul/11/microsoft-
nsa-...](https://www.theguardian.com/world/2013/jul/11/microsoft-nsa-
collaboration-user-data)

~~~
ryanlol
Why would Microsoft be working with the NSA on this?

~~~
jwtadvice
On this specifically, I'm doubtful. The 'backdoor' isn't very high value.

In many other cases technology transfer, joint management/ownership, market
access, political favors, lucrative contracts, direct infiltration,
nationalist instincts, and bribery are all reasons for Microsoft to work with
the NSA and other intelligence agencies. They were caught providing backdoor
access along with Google to all outlook (and gmail) emails to the FBI, for
example.

------
EugeneOZ
What wonders me is absence of urgent update after such news...

------
ryanmccullagh
I'm surprised to this company on the front page of HN.

------
thedutchguy
Good. All things should have backdoors. /s

------
y_u_no_rust
calling this a backdoor is pretty disingenous

~~~
ht85
An access that bypasses regular security / auth, isn't that the definition of
a backdoor?

~~~
brianbarker
No. A backdoor is considered to be deliberate and obfuscated from easy
discovery, with the intent to be secret access.

If every system flaw or coding bug is a backdoor, then defects like OpenSSL's
Heartbleed would be deemed backdoors, and they're not.

Unless you're wearing a heavy tin foil hat and think the coding mistake for
Heartbleed was intentional. I guess I can't dissuade you from that train of
thought.

~~~
0x0
Why is it that everything either has to be a blatant backdoor or an innocent
mistake or tinfoil hat territory? I find it hard to believe that nobody ever
wrote a backdoor and took the time to conceal it as an innocent, plausible
mistake.

~~~
brianbarker
Alright, I'm burnt out and I don't want to think about work for a few mins,
so:

I tire of the logic such as "well...what IF... _someone_...did that
intentionally!" Then people think they're smarter than everyone else, using
words like sheeple and such.

Shit happens. Merges fail. Teams miss stuff. I once randomly discovered a hole
in a web app where data was being leaked from an ajax call without logging in.
No conspiracy.

Yes, if I were a 1337 haxxor and I wanted to disguise a commit to, say, Linux
for my backdoor I would disguise it as a mistake. Totally right, that would be
smart and awesome. I'd have something to say on the next HN post of "What
makes a Senior Software Engineer", because a junior engineer would not be this
smart.

As an aside, long before the NSA reveals of 2013 there had been reports of
back doors in skype. My clock skew causes me to forget how many years ago that
was, but I'm gonna say somewhere 2005-2008. As 2013 passed, I thought back on
that and laughed.

So yeah, Skype is backdoored. Is this one of them? Perhaps. Or it's yet
another big corp fail. Orrrr...getting crazy now....it's a bug, but then it
was discovered long ago by smart people and has been exploited. So it wasn't
internal conspiracy, just a good find by some NSA dude.

Anyway. Back to my code.

