Skype’s Android app has a new vulnerability that could allow criminals to access the contacts, gallery, and even browser windows by bypassing Android’s phone passcode screen.
Florian Kunushevci, a bug hunter discovered this vulnerability and reported it to Microsoft. Explaining the flaw, he said that this flaw allows anyone possessing someone’s phone to receive a Skype call and answer it without unlocking the phone. Once the person picks up the call, they can go to the gallery, access contacts, type and send a message, and access the browser by clicking on the links sent in the message.
Such a flaw could allow criminals or pranksters to access a lot of private data on the phone without having to unlock it with the passcode. The flaw is demonstrated in this video shared on YouTube.
How was the flaw discovered?
The 19-year-old bug researcher from Kosovo, who is an everyday user of the Skype app, found a certain irregularity in how the app accessed local files while performing VoIP calls. This is what led him to investigate the matter further.
The researcher soon discovered that upon receiving and answering a Skype call, many phone application functions could be accessed without needing to unlock the phone.
Akin to previously discovered flaws in Skype’s iOS apps, this flaw is also ascribed to a security oversight by the app developers. Kunushevci further told The Register, "For the specific bug that I have found on Skype, it is more of a bad design and also a bug in coding. I think to put it all together, humans make mistakes."
The researcher informed Microsoft of the bug in the Skype app and waited before going public until the issue was fixed in the version of Skype released on December 23, 2018.
It is to be noted that this vulnerability affects Skype on all Android versions. All builds of the Skype app with a version number over 188.8.131.526 for different Android versions include the patch for this bug. Meanwhile, Microsoft has not issued any official comment on the matter.