plughaa.blogg.se - Skype for mac desktop

Researchers say they were able to track this so-called "backdoor" as back as five years. "This raises the possibility that the backdoor is the result of a development accident which left the code behind accidentally during the process of implementing the Dashboard plugin," researchers explained.Ī developer might have started to implement the Dashboard widget, encountered a problem and restarted from scratch, without deleting the old authentication bypass mechanism, which was left in Skype's API for years. This 'Skype Dashbd Wdgt Plugin' appears to be an older name for the actual Skype for Mac Dashboard widget, currently still available with recent Skype installations. Or is it a coding accident?īut the backdoor theory isn't as clear cut as researchers make it look like. "Indeed, this possibility seems even more likely when you consider that the Desktop API provides for an undocumented client name identifier (namely 'Skype Dashbd Wdgt Plugin')," Trustwave added. "An interesting possibility is that this bug is the result of a backdoor entered into the Desktop API to permit a particular program written by the vendor to access the Desktop API without user interaction," researchers wrote. Trustwave has put forward two plausible explanations for this bug's presence.

Read notifications of incoming messages (and their contents)įurthermore, apps connecting through this secret mechanism wouldn't show up in Skype's "Manage API Clients" dashboard, where users go to see what third-party apps are connected to their Skype account, and revoke permissions.

Researchers discovered a hidden mechanism that bypassed the authentication procedure and allowed a third-party app, or malware, to interact with Skype without proper credentials or requesting the user's permission.īased on the Desktop API's features, an attacker or malware abusing this backdoor could: Vulnerability gives access to nearly everything that Skype can offer Normally, these apps are required to provide access credentials in order to interact with a local Skype installation.

The role of this API is to enable third-party applications to communicate with Skype. A soon-to-be-deprecated API included with Skype for Mac contains a vulnerability that allows an attacker to bypass authentication procedures and query for user data or interact with a local Skype installation.Īccording to researchers from Trustwave, the bug affects the Desktop API, previously known as the Skype Public API.