Hard to believe, but it's true.
Recently, Trustwave's SpiderLabs analysts discovered a hidden backdoor in Skype for Apple's macOS and Mac OS X operating systems that could be used to spy on users' communications without their knowledge.
The backdoor actually resides in the desktop Application Programming Interface (API) that allows third-party plugins and apps to communicate with Microsoft-owned Skype — the popular video chat and messaging service.
Appeared to have been around since at least 2010, the backdoor could allow any malicious third-party app to bypass authentication procedure and provide nearly complete access to Skype on Mac OS X.
How an Attacker can Take Complete Control of Your Skype
Accessing this backdoor is incredibly easy. All hackers need to do is change a text string in apps to this value → "Skype Dashbd Wdgt Plugin," and the desktop API would provide access to sensitive features of Skype.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!Join the Session
An attacker or any malicious program abusing this hidden backdoor could perform the following actions:
- Read notifications of incoming messages (and their contents)
- Intercept, read and modify messages
- Log and record Skype call audio
- Create chat sessions
- Retrieve user contact information
The backdoor believes to have been created by a developer at Skype before Microsoft acquired the company and likely exposed more than 30 Million Mac OS X users.
Update Your Skype Installation Now!
Trustwave notified Microsoft of the vulnerability in October, and the company has patched the issue in Skype 7.37 and later versions.
Here's what a Microsoft spokesperson said about the backdoor:
"We do not build backdoors into our products, but we do continuously improve the product experience [and] product security and encourage customers to always upgrade to the latest version."Trustwave also speculated that the backdoor believed to have been accidently left in Skype "during the process of implementing the dashboard plugin," as the Skype dashboard widget does not appear to utilize it.
All versions of Skype for macOS and Mac OS X, including 7.35 version, are vulnerable. So users are strongly recommended to update their Skype installation as soon as possible.