Most interesting to me was the response from the MS Security Response Centre: "[T]his is not a valid vulnerability ... [It] relies entirely on social engineering."
This narrow view of what constitutes the system shows that MS Security is seriously flawed. If you run hosted software you have to consider the security aspects of the total system, including support and other human factors. Seems like MS is stuck in the mindset of shrink-wrapped software.
Mods removed "(They don't)" or similar from the title. Before they did this I think it more accurately reflected the intent of the original author as this is the prominent subtitle on the page. Without this it makes the article sounds much less interesting.
What is the deal with the low-quality title editing on here? So often we see good, informative titles get mindlessly edited to match the `<title>` tag of the target page.
I feel like this could be fixed very quickly if someone wanted to invest the time and was a bit on the chaotic side. 1) find Skype IDs of Microsoft managers, known people, big businesses with ties to MS 2) create 20+ fake accounts 3) start reporting abuse...
It's the same issue as in any big system - people on high enough positions are isolated from all the crap normal users have to deal with. If you can interrupt their business call though... I expect the fix will be coming soon.
I contacted their chat support to tell them about it. The person on the other end was insisting that I might be using another Skype account where my other contacts are. Which of course I ain't since I'm not that stupid. He then suggested the stupid bullshit Tier 1 support usually does, like reinstalling Skype. I did as asked.
Then he asked me for remote control of my PC which I refused, because I have sensitive data on my laptop and I'm on a MacOS anyway. I then asked for my issue to be upgraded to a higher-level tier, because losing my contacts is unacceptable. Then he made an accusation that I haven't reinstalled Skype as asked and that I'm probably using two accounts, at which point I gave up.
Anyway, Skype sucks, it's been a week since I've lost most of my contacts which I've been collecting for about 7 years or so and their support is useless.
If you're relying on Skype for your business, stop doing that ;-)
I've dumped all of these services due to random crap like this. Phone, SMS, email or go away. They're not perfect but they are significantly better than anything else.
However if you want a real turd: Skype for Business. Everything starts with 20 minutes trying to work out if it's working or not which for a random subset of people the answer is nope.
Phone and SMS are fucking useless if you spend any significant period of time using wifi without having signal (my office, the tube, etc.), and you have to pay to send images. SMS can go do one, to be honest.
My account is connected to a Microsoft account, but I can no longer authenticate with my Skype credentials, I can only connect with my Microsoft account now.
But it's the same account, the Skype ID is still there. Or in other words, if I indicate my Skype ID as the username in the auth dialog, they now expect my Microsoft password, not my old Skype password (I have unique passwords everywhere).
If you have any idea of how I can get my accounts back (I'm not interested in getting the connections back, just the list of IDs, because I don't remember everyone) that would be great.
Re business usage: I've found https://zoom.us/ to be a good alternative to Skype for conference calls and screen sharing - it's freemium, free for calls up to 40 minutes (after which you just re-call everyone). Quality of the call and software seems to be a lot better, maybe that's just because corporate firewalls don't try and do weird stuff to it though :D
I don't know how specific it is but I know it works in the Windows version of the program. In your case, I guess it's too late to do the backup for your current problem, if you miss the contacts obviously they were deleted before you knew that you can backup them. But it can help you saving the remaining ones.
I've been looking for a Skype alternative since the security of Skype was weakened after it was acquired by Microsoft. I've had my account stolen multiple times because their support has changed the primary e-mail address of my account, I had to use the same method the social engineers used to get my account back. Since then I've avoided sharing anything slightly sensitive over Skype, as chat history is synced with anyone who accesses your account.
Finding a replacement isn't easy, but I've used Wire (wire.com) for a year now and find it good enough feature-wise, and excellent security-wise. It has its quirks and can be a resource hog at times (the desktop app uses Electron IIRC), but it's worth switching from the security disaster that is Skype.
You should definitely consider the matrix protocol (https://matrix.org) that is used with riot (https://riot.im).
Matrix allows for a complete decentralization and both the the protocol and the client are open source. There are even many other clients as matrix also works with for example weechat.
One of it's biggest strength are the support for bridges to other messengers like slack, irc and gitter.
I personally haven't yet tried group calls or video chat, but considering that those also use end to end encryption just as messages and attachement and that this encryption has been fully audited, I could barely be any less hyped about all this.
As the author of this article pointed out, all of skype's flaws are more or less inherent of big centralized messengers and this is exactly what we get around with matrix. It's really amazing in what a great state it already is. Sure there is still lots of work left, but to me it appears to be the currently most promising project.
I just had a look at Jitsi and it seems like the Android app is in alpha stage, and that there won't be any iOS app (https://jitsi.org/Documentation/FAQ#ios). Smartphone apps are important to convince my contacts to make the switch, and to be able to communicate with them over the same channel when they're away from the computer.
I too switched from Skype to Wire, but it has been a challenge to convince other people to move to Wire. It has further been frustrating that it almost seems like the people running Wire have been trying to avoid marketing or letting people know that Wire exists.
That makes me wonder about their long term intentions (and if I'll lose credibility with my contacts that finally migrate to Wire just before wire vanishes or gets bought out by Facebook or Microsoft...)
I wouldn't say that they've avoided marketing, they're active on Twitter. I made the switch over a single day by sending a message to all my contacts informing them about it and then proceeded to delete all contacts from my list. The people I speak to regularly were quick to switch, others have switched over the months. I still have to use Skype from time to time for conference calls with certain people, but I avoid it as much as I can and don't consider any conversation I have on Skype as private.
Wire has also open-sourced their clients and a lot of components, so even if they were to vanish as a company, all work is not lost.
Wire also recently added an username feature[1], where you choose a certain username and don't need to disclose your name or phone number for others to find you on it. This replaced looking up contacts per e-mail.
I've looked at alternatives too, tried Jitsi.org and Ring.cx so far, with Jitsi seeming to be more robust when establishing connections through NAT.
Thanks for the suggestion about Wire, will have to try that too.
I used it 10 years ago, and it was great - or at least pretty good, compared to the other options. Video calls, screen sharing, chat.
But it had a number of problems. Mostly surrounding using it on multiple devices, making it very hard to keep track of what has and has not been read. Log onto Skype on a device I have not used in a couple of days, and "unread" messages show up - messages I have already read.
Over the past 10 years, none of the issues that I care about have been addressed. But we did get some garbage integration with facebook and nice emoticons. They added features nobody wants and have not addressed the problems. It is maddening.
It makes me sad. But it is unfortunately still the standard when you deal with non-technical people, so I keep using it... :(
Sadly, Skype is still used a lot. More than half of the emails I receive with a next step of communication proposal come suggesting Skype.
The only way to beat it would be to have another communication solution which can be used as simple as Skype is (for any age, technical literacy, etc.).
9) a static phone number for your voip that you can answer anywhere in the world
10) reasonably affordable subscriptions for the phone line to skype bridge.
11) Simple hardware you can use as a phone by simply logging into to skype
I know there's alternatives, but it has served me quite well for several years and changing means having to buy new VOIP phones.
Skype has its warts, huge ones, like very misleading errors.
Just today I got an email: "Your Skype Number will expire on" even while it has auto renew set to on.
Then after login it says "your skype number has been cancelled". No it has not been cancelled.
What ended up being the problem was that the skype database no longer knew how-to bill from paypal. Even while it had used that for another subscription the other day. There was also no bounced payment, it just forgot.
I knew when I read "cancelled" that it meant something else from earlier similar problems. Skype is quite messy and every time I get an email "Skype has improved XYZ" I do wonder what it ended up breaking. I know I should find an alternative, but as long as it sort of works...
These type of security issues do make me wonder again though.
I tried to use Wire with Zhovner (the author of this article) and it consumed 2 full CPU power for a simple voice call. My laptop heated up to 83°C, Zhovner's laptop was also hot.
That's pretty strange since Wire has only interface written in javascript, all the core things are in Rust.
3) Is not true for me though, it's awful mostly, but that's my pet peeve (all coders assume everyone else is on a 1000mbit connection as well all the time) and MS is really bad at making anything work on bad connections. Office 365 isn't even getting past the 'wait while loading' while Google drive/docs is completely usable when I have a bad connection (which is often). The software that was written for bad connections, like Whatsapp and Wechat, for me, have much better quality. But no video (which I personally don't need, but it violates your 3rd demand).
Well Skype just disconnects often and it takes a while to get back. While the 'others' don't have that as they assume the connection will break / is too slow?
For me, whatsapp video doesn't work at all. When I use it with my girlfriend (I have iOS, she has a new Android phone) her video has a real bad quality while I can see hers perfectly fine. Voice quality is good as well. Video quality is perfect on Duo and Skype and we're both on WiFi, so that's not the issue.
Don't know if it's due to the geography (across countries in Europe), but I couldn't find a solution yet. Calls work fine as well.
I'd love to get rid of Duo but have to keep using it as I don't want to use Skype on my phone.
I've entirely moved to using it for voice comms with people where I'm suggesting the platform. It's guest support is pretty robust, so just fire someone a link and they can dial in from their browser if they don't have the app. Call quality is better than Skype, there's separate persistent chat rooms too. I like it a lot.
I started using Pidgin with the Skype plugin, because the company I work for uses Skype for Business (Lync in other words) and that program doesn't log anything, and in business logging is vital. Pidgin is open source, as are all the plugins, making it a good choice for business knowing you aren't installing anything you should not be, and it handles files etc ok, but doesn't do video at all.
WebRTC is almost there, and I think in the next few years most such emails will have a link to a WebRTC based service. It is easier than Skype really. Just click a link and it starts a video call. There are jsut a few browser compatibility issues that need sorting out.
It's for gamers, but it's just chat and voice. I think it's smart of them to capture a niche because they have integration with streaming to Twitch. For example, it hides the names of contacts/server invites when you're streaming video online.
I wonder how many other free services' accounts can be disabled by bombarding an automated abuse-reporting/blocking system with reports of "abuse" from a specified username. A lot more than just Skype, I bet. And many of these services have no method of contacting a human at "customer service" because of the sheer number of free accounts (tens of millions).
If I were setting up an automated abuse-report-receiving system that could automatically disable accounts, I would run some sort of filter for "is the account reporting the abuse itself a newly created account, and/or one with suspiciously low and non-human looking usage patterns?".
But on the other side, malicious actors can solve that problem by having clickfarm workers in bangladesh create 30 fake facebook accounts, post random drivel on them for a week to make them look like they're in use, and then use those to report abuse.
> If I were setting up an automated abuse-report-receiving system that could automatically disable accounts, I would run some sort of filter for "is the account reporting the abuse itself a newly created account, and/or one with suspiciously low and non-human looking usage patterns?".
That does not help against these kiddy vandals mentioned in the article.
The solution is not simple, if you're on the business management side and need to concern yourself with the fully loaded yearly office space, overhead, payroll/benefits cost of hiring hundreds of well trained, motivated, educated, english speaking customer support reps to support your 20+ million "free" customers...
It all boils down to classic capitalism: privatizing profits (money not spent on support teams) and socializing losses (wasted police funds on SWATting, often needed psychological care for victims, lost productivity due to hacks)...
Once these losses are factored in, the tide swings towards support staff. But unfortunately that won't happen any time soon.
Simple and cheap are not the same. The solution is simple, it's just also expensive. This is the general "problem" with customer support, good support is not cheap, nor is cheap support good.
requiring a credit card is a good way to stop 90% of the developing world from using your application... Stop a randomly chosen person on the street in a big city in India, Pakistan or Bangladesh and ask them if they have a visa or mastercard.
I guess this abuse reporting system was made to block spam via messages that are sent when adding a contact. But Microsoft doesn't check if the reported user is a spammer and whether he had sent any add requests.
It is obvious for me that Satya Nadella never uses Skype (or Lync, cough cough, Skype for Business). If he were using Skype he would write an e-mail like this Bill Gates rant: http://blog.seattlepi.com/microsoft/2008/06/24/full-text-an-... about Movie Maker.
Last year I discovered a bug that allowed you to call someone's phone and remotely activate it's camera and mic by disconnecting the call while it was ringing - the target's device would simply call you back as if it were a dropped call.
My account on Skype seems to have gotten some sort of shadowban. I don't show up when people search for me and when I send people a contact request it shows as sent on my side but the other person never receives it. I can communicate fine with my existing contacts.
> Skype tech support is vulnerable to social engineering, and Microsoft is perfectly OK with that.
This is bothers me alot. My mom got a call from this guy pretending to be MS employee couple of weeks ago. He told her that the PC has been infected by virus and MS has been notified and he is helping her to resolve the issue. For a person like my mom who is not much of tech savy person, the chances are really high to fall for this. Fortunately, she told that guy to call her back later, because she didn't know the administrator password.
I added the interviewer in my contact list, but we were never able to start a video conference. We did it by phone instead. I did not have the job. Thanks Skype. Not to mention the interviewer had Skype Pro.
From the article: "Short recap:" As far as I can tell this recap is a summary of the original email exchange which is available from a link in the article.
I haven't read it closely enough to confirm that the gist of each message corresponds, but I don't see any of the explicit, abusive language from Skype in the emails that shows up in the recap.
The original article is in Russian, and here for our mentality this is not such unacceptable sarcastic exaggeration. But it may be too strong for a Western reader. So this can be considered as a little translation glitch (IMO).
I don't think I can fault Skype for this "vulnerability" - the problem itself isn't really in code, but in people. Yes, within the article there's mention of a past attack which relied on socially engineering a support specialist to send verification codes and guess the result, but that seems to have stopped. I'd actually love to know the key generation algorithm or the probabilities that go into guessing one of four-ish codes sent in a burst in just a few tries.
Still. the other exploit mentioned, the one not "patched" - This same kind of mass-reporting system exploit is usable in all manner of online forums and services - heck, HN's own flag feature could get pretty close (we just have some very hands-on moderators and an okay community)!
As for not restoring something when contacting support... I can understand why. It's _better_ this way, since then no malicious party who is _actually_ spamming with Skype accounts can retrieve an account using only a bit of social engineering! Instead they need to roll up new emails and new accounts. (And think of it this way: If a malicious party is abusing the system to get your account blocked, how will they know your new account to repeat the procedure? They shouldn't.)
Yes. It's a pity that the abuse reporting system is itself vulnerable to abuse, but... aren't most? Given Skype's massive userbase, putting the user reporting function behind a mechanical turk... the rate at which they'd need to comb through ban requests would seem to make fatigue (and thereby false positives which would result in the same outcome as now) inevitable. The only interesting way I've seen this abuse-system abuse handled in recent years was the League of Legends tribunal system[1], where they effectively handed penalty decisions to the community at large and let them come to a consensus. Though I don't know how well it worked and, honestly, that system seems just as game-able as the automated report button itself. In fact, it feels analogous to a Sybil attack[2] in the crypto world - get enough aligned malicious identities in a decentralized system and they effectively control it. The only "fix" is making identity creation too expensive to make gaining a controlling share of the identity-space prohibitive (which would entail making account creation difficult) - I feel that this is _directly at odds_ with account creation speed and this user acquisition for a service like this, so I can not fault Skype for falling on the middleground that they have.
If support team is vulnerable to abuse, so deal with it. For example, stop blocking accounts due to abuse reports. Just block account ability to contact with reporter. Make some automatic abuse detection system to deal with most popular cases. Invent some type of carma for users, keep it hidden, but let this carma influence on decision making of support team or abuse detection system.
A little courage to face problem and some creativity to brain storm a solution... But Skype team seems lacking will to solve any problems.
If they guessed the verification code then there's clearly a massive code issue.
And if a report system is broken enough you can just not have one. Or maybe take away the ability of an account to send friend requests while leaving the rest of it intact. That would take care of spambots without ruining real accounts.
This narrow view of what constitutes the system shows that MS Security is seriously flawed. If you run hosted software you have to consider the security aspects of the total system, including support and other human factors. Seems like MS is stuck in the mindset of shrink-wrapped software.