Hacker News new | past | comments | ask | show | jobs | submit login
How Skype fixes security vulnerabilities (zhovner.com)
364 points by atomlib on Dec 21, 2016 | hide | past | favorite | 115 comments

Most interesting to me was the response from the MS Security Response Centre: "[T]his is not a valid vulnerability ... [It] relies entirely on social engineering."

This narrow view of what constitutes the system shows that MS Security is seriously flawed. If you run hosted software you have to consider the security aspects of the total system, including support and other human factors. Seems like MS is stuck in the mindset of shrink-wrapped software.

Mods removed "(They don't)" or similar from the title. Before they did this I think it more accurately reflected the intent of the original author as this is the prominent subtitle on the page. Without this it makes the article sounds much less interesting.

When I read the title without the They don't in it I thought sarcastically to myself "They don't".

I literally did the same when I read the title. I guess Skype has done a lot to earn the snark.

What is the deal with the low-quality title editing on here? So often we see good, informative titles get mindlessly edited to match the `<title>` tag of the target page.

I feel like this could be fixed very quickly if someone wanted to invest the time and was a bit on the chaotic side. 1) find Skype IDs of Microsoft managers, known people, big businesses with ties to MS 2) create 20+ fake accounts 3) start reporting abuse...

It's the same issue as in any big system - people on high enough positions are isolated from all the crap normal users have to deal with. If you can interrupt their business call though... I expect the fix will be coming soon.

This is very true. OP can contact me for some MS employee Skype usernames. :)

Last week Skype dropped 2/3 of my contacts list.

I contacted their chat support to tell them about it. The person on the other end was insisting that I might be using another Skype account where my other contacts are. Which of course I ain't since I'm not that stupid. He then suggested the stupid bullshit Tier 1 support usually does, like reinstalling Skype. I did as asked.

Then he asked me for remote control of my PC which I refused, because I have sensitive data on my laptop and I'm on a MacOS anyway. I then asked for my issue to be upgraded to a higher-level tier, because losing my contacts is unacceptable. Then he made an accusation that I haven't reinstalled Skype as asked and that I'm probably using two accounts, at which point I gave up.

Anyway, Skype sucks, it's been a week since I've lost most of my contacts which I've been collecting for about 7 years or so and their support is useless.

If you're relying on Skype for your business, stop doing that ;-)

I've dumped all of these services due to random crap like this. Phone, SMS, email or go away. They're not perfect but they are significantly better than anything else.

However if you want a real turd: Skype for Business. Everything starts with 20 minutes trying to work out if it's working or not which for a random subset of people the answer is nope.

Phone and SMS are fucking useless if you spend any significant period of time using wifi without having signal (my office, the tube, etc.), and you have to pay to send images. SMS can go do one, to be honest.

I read books on the tube :)

The support guy sure sounds like an ass...

With that said, is your Skype account linked to a Microsoft live account? In that case thats were your contacts should be now.

My account is connected to a Microsoft account, but I can no longer authenticate with my Skype credentials, I can only connect with my Microsoft account now.

But it's the same account, the Skype ID is still there. Or in other words, if I indicate my Skype ID as the username in the auth dialog, they now expect my Microsoft password, not my old Skype password (I have unique passwords everywhere).

If you have any idea of how I can get my accounts back (I'm not interested in getting the connections back, just the list of IDs, because I don't remember everyone) that would be great.

If you are using a Microsoft account, have you try to see if your contacts appears on outlook.com? They should share the same contacts

Re business usage: I've found https://zoom.us/ to be a good alternative to Skype for conference calls and screen sharing - it's freemium, free for calls up to 40 minutes (after which you just re-call everyone). Quality of the call and software seems to be a lot better, maybe that's just because corporate firewalls don't try and do weird stuff to it though :D

For all who read this and wonder about their own backup before something strange happens, backing up the contacts from the Skype is easy:

Contacts / Advanced / Backup Contacts to File

Consider doing this if you also find that "losing contacts is unacceptable."

There's, of course, also "Restore Contacts from File."

I don't have that option. Is this a Windows-specific or a "Skype for Business" thing?

I don't know how specific it is but I know it works in the Windows version of the program. In your case, I guess it's too late to do the backup for your current problem, if you miss the contacts obviously they were deleted before you knew that you can backup them. But it can help you saving the remaining ones.

I've been looking for a Skype alternative since the security of Skype was weakened after it was acquired by Microsoft. I've had my account stolen multiple times because their support has changed the primary e-mail address of my account, I had to use the same method the social engineers used to get my account back. Since then I've avoided sharing anything slightly sensitive over Skype, as chat history is synced with anyone who accesses your account.

Finding a replacement isn't easy, but I've used Wire (wire.com) for a year now and find it good enough feature-wise, and excellent security-wise. It has its quirks and can be a resource hog at times (the desktop app uses Electron IIRC), but it's worth switching from the security disaster that is Skype.

You should definitely consider the matrix protocol (https://matrix.org) that is used with riot (https://riot.im). Matrix allows for a complete decentralization and both the the protocol and the client are open source. There are even many other clients as matrix also works with for example weechat.

One of it's biggest strength are the support for bridges to other messengers like slack, irc and gitter. I personally haven't yet tried group calls or video chat, but considering that those also use end to end encryption just as messages and attachement and that this encryption has been fully audited, I could barely be any less hyped about all this. As the author of this article pointed out, all of skype's flaws are more or less inherent of big centralized messengers and this is exactly what we get around with matrix. It's really amazing in what a great state it already is. Sure there is still lots of work left, but to me it appears to be the currently most promising project.

Both are too difficult for normal people to grasp and have no central id management so you have to copy it manually

Is matrix/riot ready for voice, video and conf video?

Why don't you try Jitsi? https://jitsi.org/

You can also try https://meet.jit.si/

Works directly in the browser (thanks to WebRTC), nothing to install, no need to create an accound.

There's group video chat, screen sharing, youtube video sharing, collaborative text editing,...

And it's free software :)

I just had a look at Jitsi and it seems like the Android app is in alpha stage, and that there won't be any iOS app (https://jitsi.org/Documentation/FAQ#ios). Smartphone apps are important to convince my contacts to make the switch, and to be able to communicate with them over the same channel when they're away from the computer.

I too switched from Skype to Wire, but it has been a challenge to convince other people to move to Wire. It has further been frustrating that it almost seems like the people running Wire have been trying to avoid marketing or letting people know that Wire exists.

That makes me wonder about their long term intentions (and if I'll lose credibility with my contacts that finally migrate to Wire just before wire vanishes or gets bought out by Facebook or Microsoft...)

I wouldn't say that they've avoided marketing, they're active on Twitter. I made the switch over a single day by sending a message to all my contacts informing them about it and then proceeded to delete all contacts from my list. The people I speak to regularly were quick to switch, others have switched over the months. I still have to use Skype from time to time for conference calls with certain people, but I avoid it as much as I can and don't consider any conversation I have on Skype as private.

Wire has also open-sourced their clients and a lot of components, so even if they were to vanish as a company, all work is not lost.

Wire also recently added an username feature[1], where you choose a certain username and don't need to disclose your name or phone number for others to find you on it. This replaced looking up contacts per e-mail.

[1] https://medium.com/wire-news/time-to-get-your-username-3a54f...

I've looked at alternatives too, tried Jitsi.org and Ring.cx so far, with Jitsi seeming to be more robust when establishing connections through NAT. Thanks for the suggestion about Wire, will have to try that too.

Skype makes me sad.

I used it 10 years ago, and it was great - or at least pretty good, compared to the other options. Video calls, screen sharing, chat.

But it had a number of problems. Mostly surrounding using it on multiple devices, making it very hard to keep track of what has and has not been read. Log onto Skype on a device I have not used in a couple of days, and "unread" messages show up - messages I have already read.

Over the past 10 years, none of the issues that I care about have been addressed. But we did get some garbage integration with facebook and nice emoticons. They added features nobody wants and have not addressed the problems. It is maddening.

It makes me sad. But it is unfortunately still the standard when you deal with non-technical people, so I keep using it... :(

> making it very hard to keep track of what has and has not been read

This seems to have finally been addressed, at least on my OSX/iOS combo.

Sadly, Skype is still used a lot. More than half of the emails I receive with a next step of communication proposal come suggesting Skype.

The only way to beat it would be to have another communication solution which can be used as simple as Skype is (for any age, technical literacy, etc.).

This. People talk about various alternatives, but I haven't seen one. The requirements are pretty simple

1) Chat and group chat (persistent)

2) Simple file transfer and image posting in chat

3) Good quality voice calls, video calls and group voice calls

4) Apps for android/iOS with shared contact lists

5) Single application for all of the above (to enable a single group set, switching between group chat and group call with one button)

6) No server setup

7) Free or freemium on all platforms (With all features 1-5 in the free tier)

Are there any good alternatives? Is there even an alternative?

There's also

8) the phone line to skype voip bridge

9) a static phone number for your voip that you can answer anywhere in the world

10) reasonably affordable subscriptions for the phone line to skype bridge.

11) Simple hardware you can use as a phone by simply logging into to skype

I know there's alternatives, but it has served me quite well for several years and changing means having to buy new VOIP phones.

Skype has its warts, huge ones, like very misleading errors.

Just today I got an email: "Your Skype Number will expire on" even while it has auto renew set to on.

Then after login it says "your skype number has been cancelled". No it has not been cancelled.

What ended up being the problem was that the skype database no longer knew how-to bill from paypal. Even while it had used that for another subscription the other day. There was also no bounced payment, it just forgot.

I knew when I read "cancelled" that it meant something else from earlier similar problems. Skype is quite messy and every time I get an email "Skype has improved XYZ" I do wonder what it ended up breaking. I know I should find an alternative, but as long as it sort of works...

These type of security issues do make me wonder again though.

I switched to Wire a year ago and haven't looked back. It meets all your requirements, and has end-to-end encryption (based on Signal Protocol) too.

I tried to use Wire with Zhovner (the author of this article) and it consumed 2 full CPU power for a simple voice call. My laptop heated up to 83°C, Zhovner's laptop was also hot. That's pretty strange since Wire has only interface written in javascript, all the core things are in Rust.

Maybe a Wire client bug... I've used Wire for voice+screen share, and my MBP i7 didn't heat up or make noise.

3) Is not true for me though, it's awful mostly, but that's my pet peeve (all coders assume everyone else is on a 1000mbit connection as well all the time) and MS is really bad at making anything work on bad connections. Office 365 isn't even getting past the 'wait while loading' while Google drive/docs is completely usable when I have a bad connection (which is often). The software that was written for bad connections, like Whatsapp and Wechat, for me, have much better quality. But no video (which I personally don't need, but it violates your 3rd demand).

> 3) Good quality voice calls, video calls and group voice calls

In my experience, voice quality issues is almost always due to the people and not the technology.

Well Skype just disconnects often and it takes a while to get back. While the 'others' don't have that as they assume the connection will break / is too slow?

WhatsApp has had video for a while now...

I'm guessing on your slow connection the update is still pending...

For me, whatsapp video doesn't work at all. When I use it with my girlfriend (I have iOS, she has a new Android phone) her video has a real bad quality while I can see hers perfectly fine. Voice quality is good as well. Video quality is perfect on Duo and Skype and we're both on WiFi, so that's not the issue.

Don't know if it's due to the geography (across countries in Europe), but I couldn't find a solution yet. Calls work fine as well.

I'd love to get rid of Duo but have to keep using it as I don't want to use Skype on my phone.

Discord does most of this.

I've entirely moved to using it for voice comms with people where I'm suggesting the platform. It's guest support is pretty robust, so just fire someone a link and they can dial in from their browser if they don't have the app. Call quality is better than Skype, there's separate persistent chat rooms too. I like it a lot.

I like Discord, but their interface leaves a lot to be desired. Their sign out button is hidden away, and I wouldn't have found it if it wasn't for this article: https://support.discordapp.com/hc/en-us/articles/209572128-H...

Their tagline is "Free Voice and Text Chat for Gamers".

Yeah, they're definitely targeting that market initially - but I'm seeing communities outside that sphere start using it: https://facebook.github.io/react/blog/2015/10/19/reactiflux-...

It's not perfect, but if you're looking for voice, group voice, and group text chat, it's a great solution. Very, very simple setup, little overhead.

It is missing Video and Screen sharing, though.

What about wire.com? I think it's a nice app with focus on end-to-end security.

+ screen sharing

That and video seem to be the only things missing from Discord.

Discord lacks video calls I think, but it's good enough that it's displaced all the alternatives for me.

Riot.im is almost there, together with e2e crypto, foss stack, server federation and bridges to slack, irc etc.

Riot is a good alternative to IRC, Slack and other team/community chat systems.

It's not an option for the international 1 on 1 most Skype users are used to. The closest option seems to be Wire, but I've yet to try it.

Google hangouts?

Hangouts is not a bad idea actually. I think the chrome plugin actually makes it look like a decent desktop app too (?)

I very much prefer not to have to use a browser window for chat/voice/video.

Have you tried Allo/Duo?

Aren't those unavailable on desktop?

http://appear.in/yourconferencename is rather convenient and should be usable by anyone with a browser.

appear.in regularly pegs my CPU at 100% :(

Try http://meet.jit.si instead :)

and silently drops connections.

you keep talking for 10 minutes before you realize the other end was kicked out of the meeting...

My mother literally got broadband to Skype with her grandchildren.


John McWhorter: Words on the Move: Why English Won't - and Can't - Sit Still (Like, Literally)

no, just metaphorically.

Literally. That was the use case.

I started using Pidgin with the Skype plugin, because the company I work for uses Skype for Business (Lync in other words) and that program doesn't log anything, and in business logging is vital. Pidgin is open source, as are all the plugins, making it a good choice for business knowing you aren't installing anything you should not be, and it handles files etc ok, but doesn't do video at all.

WebRTC is almost there, and I think in the next few years most such emails will have a link to a WebRTC based service. It is easier than Skype really. Just click a link and it starts a video call. There are jsut a few browser compatibility issues that need sorting out.

The only problem right now is that there's no WebRTC support on iOS :(

You mean in Safari on iOS? Native apps can support WebRTC, like Facebook Messenger does.

A lot of people use Discord now. I mean, you can use it inside of a browser, what can be easier than that?

Seems to be designed for games only, or did I end up in a targeted landing page?

Games are the target niche - but really - anyone can use it. At the end of the day - it's just a chat product - that has some gamer centric features.

It's for gamers, but it's just chat and voice. I think it's smart of them to capture a niche because they have integration with streaming to Twitch. For example, it hides the names of contacts/server invites when you're streaming video online.

I got a lot of friends to switch to whatsapp. The audio quality and stability is usually better.

How do you use whatsapp from a laptop without signing up using a phone first? Doesn't seem convenient at all.

On a desktop?

And it requires uploading every contact on your device to their servers. Nope.

I wonder how many other free services' accounts can be disabled by bombarding an automated abuse-reporting/blocking system with reports of "abuse" from a specified username. A lot more than just Skype, I bet. And many of these services have no method of contacting a human at "customer service" because of the sheer number of free accounts (tens of millions).

There have been a lot of instances of this happening to feminist or LGBT groups on Facebook and YouTube. These systems are fantastically abusable.

If I were setting up an automated abuse-report-receiving system that could automatically disable accounts, I would run some sort of filter for "is the account reporting the abuse itself a newly created account, and/or one with suspiciously low and non-human looking usage patterns?".

But on the other side, malicious actors can solve that problem by having clickfarm workers in bangladesh create 30 fake facebook accounts, post random drivel on them for a week to make them look like they're in use, and then use those to report abuse.

> If I were setting up an automated abuse-report-receiving system that could automatically disable accounts, I would run some sort of filter for "is the account reporting the abuse itself a newly created account, and/or one with suspiciously low and non-human looking usage patterns?".

That does not help against these kiddy vandals mentioned in the article.

yes, exactly why it's a hard problem to solve.

The solution is simple: Hire support people - and both train and allow them to deviate from the usual support flowcharts.

Oh, and check if they actually speak English well enough to communicate with customers. As a customer, I instantly notice outsourced callcenters.

The solution is not simple, if you're on the business management side and need to concern yourself with the fully loaded yearly office space, overhead, payroll/benefits cost of hiring hundreds of well trained, motivated, educated, english speaking customer support reps to support your 20+ million "free" customers...

It all boils down to classic capitalism: privatizing profits (money not spent on support teams) and socializing losses (wasted police funds on SWATting, often needed psychological care for victims, lost productivity due to hacks)...

Once these losses are factored in, the tide swings towards support staff. But unfortunately that won't happen any time soon.

Simple and cheap are not the same. The solution is simple, it's just also expensive. This is the general "problem" with customer support, good support is not cheap, nor is cheap support good.

The more latitude and discretion you give them, the more susceptible you'll be to social engineering attacks.

One can require the account before many years old before having much weighting.

Also, require verified phone number by sms or a verified non prepaid credit card.

Allow the user to use your site without that stuff, but restrict actions that spammers like to requiring it.

Requiring phone number or credit card is an extremely effective way to have a large class of (legitimate) users nope out of your service

requiring a credit card is a good way to stop 90% of the developing world from using your application... Stop a randomly chosen person on the street in a big city in India, Pakistan or Bangladesh and ask them if they have a visa or mastercard.

Heck, even in Europe they usually don't.

To report, not to make an account.

I guess this abuse reporting system was made to block spam via messages that are sent when adding a contact. But Microsoft doesn't check if the reported user is a spammer and whether he had sent any add requests.

The cases I've heard of have generally been crowd-sourced, not automated.

Original in Russian: https://habrahabr.ru/post/316912/

Original submission by author: https://news.ycombinator.com/item?id=13225939

It is obvious for me that Satya Nadella never uses Skype (or Lync, cough cough, Skype for Business). If he were using Skype he would write an e-mail like this Bill Gates rant: http://blog.seattlepi.com/microsoft/2008/06/24/full-text-an-... about Movie Maker.

Last year I discovered a bug that allowed you to call someone's phone and remotely activate it's camera and mic by disconnecting the call while it was ringing - the target's device would simply call you back as if it were a dropped call.

They fixed it, but boy that was a doozy.

Oh god, haha! Someone picked up my original post about it on reddit and wrote an article including my original drawing.


Ed: Oh my word, hundreds of phone, tech and malware blogs picked up on it all over the world. I didn't have a clue.

Wow! Looks pretty the same to remote mic activation on desktop that i found few years ago https://translate.google.com/translate?hl=en&sl=ru&tl=en&u=h...

Skype for Android can receive a call when skype app in backgroud?

My account on Skype seems to have gotten some sort of shadowban. I don't show up when people search for me and when I send people a contact request it shows as sent on my side but the other person never receives it. I can communicate fine with my existing contacts.

> Skype tech support is vulnerable to social engineering, and Microsoft is perfectly OK with that.

This is bothers me alot. My mom got a call from this guy pretending to be MS employee couple of weeks ago. He told her that the PC has been infected by virus and MS has been notified and he is helping her to resolve the issue. For a person like my mom who is not much of tech savy person, the chances are really high to fall for this. Fortunately, she told that guy to call her back later, because she didn't know the administrator password.

From my sources inside of Skype, everyone is leaving, and Microsoft might be preparing to sell it. No wonder that nothing's changing.

This would explain why they don't allow anymore to link your Skype to your Microsoft account: https://support.skype.com/en/faq/FA12060/can-i-link-or-unlin...

My first reaction seeing the title was, "Is this for Real!?".

Then, I saw what I was expecting as the very first line in the article.

I use Skype for more than 10 years, and I feel it's abandoned. I also have a Google Voice account, same feeling.

I recently had an interview on Skype.

I added the interviewer in my contact list, but we were never able to start a video conference. We did it by phone instead. I did not have the job. Thanks Skype. Not to mention the interviewer had Skype Pro.

Not to mention the intrusive ads.

Lync (Skype for business) has been The Worst support that I've ever dealt with.

> <Skype> > We think that we gave enough information. You are piece of shit, live with it.

I've no idea if this is real or not, but if it is, it's pretty damning for Microsoft. I hope the author goes to court and wins!

From the article: "Short recap:" As far as I can tell this recap is a summary of the original email exchange which is available from a link in the article.


I haven't read it closely enough to confirm that the gist of each message corresponds, but I don't see any of the explicit, abusive language from Skype in the emails that shows up in the recap.

The original article is in Russian, and here for our mentality this is not such unacceptable sarcastic exaggeration. But it may be too strong for a Western reader. So this can be considered as a little translation glitch (IMO).

That is how the author sarcastically summarized the canned messages sent by Skype. Not very far from the truth, however.

I don't think I can fault Skype for this "vulnerability" - the problem itself isn't really in code, but in people. Yes, within the article there's mention of a past attack which relied on socially engineering a support specialist to send verification codes and guess the result, but that seems to have stopped. I'd actually love to know the key generation algorithm or the probabilities that go into guessing one of four-ish codes sent in a burst in just a few tries.

Still. the other exploit mentioned, the one not "patched" - This same kind of mass-reporting system exploit is usable in all manner of online forums and services - heck, HN's own flag feature could get pretty close (we just have some very hands-on moderators and an okay community)!

As for not restoring something when contacting support... I can understand why. It's _better_ this way, since then no malicious party who is _actually_ spamming with Skype accounts can retrieve an account using only a bit of social engineering! Instead they need to roll up new emails and new accounts. (And think of it this way: If a malicious party is abusing the system to get your account blocked, how will they know your new account to repeat the procedure? They shouldn't.)

Yes. It's a pity that the abuse reporting system is itself vulnerable to abuse, but... aren't most? Given Skype's massive userbase, putting the user reporting function behind a mechanical turk... the rate at which they'd need to comb through ban requests would seem to make fatigue (and thereby false positives which would result in the same outcome as now) inevitable. The only interesting way I've seen this abuse-system abuse handled in recent years was the League of Legends tribunal system[1], where they effectively handed penalty decisions to the community at large and let them come to a consensus. Though I don't know how well it worked and, honestly, that system seems just as game-able as the automated report button itself. In fact, it feels analogous to a Sybil attack[2] in the crypto world - get enough aligned malicious identities in a decentralized system and they effectively control it. The only "fix" is making identity creation too expensive to make gaining a controlling share of the identity-space prohibitive (which would entail making account creation difficult) - I feel that this is _directly at odds_ with account creation speed and this user acquisition for a service like this, so I can not fault Skype for falling on the middleground that they have.

[1]http://forums.na.leagueoflegends.com/board/showthread.php?t=... [2]https://en.wikipedia.org/wiki/Sybil_attack

If support team is vulnerable to abuse, so deal with it. For example, stop blocking accounts due to abuse reports. Just block account ability to contact with reporter. Make some automatic abuse detection system to deal with most popular cases. Invent some type of carma for users, keep it hidden, but let this carma influence on decision making of support team or abuse detection system.

A little courage to face problem and some creativity to brain storm a solution... But Skype team seems lacking will to solve any problems.

If they guessed the verification code then there's clearly a massive code issue.

And if a report system is broken enough you can just not have one. Or maybe take away the ability of an account to send friend requests while leaving the rest of it intact. That would take care of spambots without ruining real accounts.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact