A new vulnerability has been discovered in Skype that allows users to access phone’s data without actually entering the phone’s passcode. The vulnerability affects Skype on Android and will allow users to view photos, contacts, and even launch browser windows.
The bug was first spotted by Florian Kunushevci who in turn reported it to Microsoft. The bug hunter told that the flaw allows the person in possession of the phone to receive a Skype call, answer it, and then view photos, look up contacts, send a message, and open the browser by tapping links in a sent message, all without ever unlocking the phone.
One day I got a feeling while using the app that there should be a need to check a part which seems to give me other options than it should. Then I had to change the way of thinking as a regular user into something that I can use for exploitation. For the specific bug that I have found on Skype, it is more of a bad design and also a bug in coding. I think to put it all together, humans make mistakes.
– Florian Kunushevci
He notified Microsoft about the bug on October and waited for the patch to release before going public. Microsoft hasn’t released an official statement about the bug but the issue has been fixed in the latest version of Skype.
Via: The Register