Skype for Android has major security flaws that could leave user details and personal data open to attack, according to a report.
The vulnerability involves the way the VoIP software stores data, an investigation by Android Police found, and could leave make details such as instant messaging logs and address details open to attackers.
“I was in shock at just how much information I could harvest,” wrote the report's author, bylined Justin Case.
“Everything was available to the rogue app I created, without the need for root or any special permissions and affected Skype for Android [which has been available since October 2010], meaning this affects all of the at least 10 million users of the app.”
According to the report, Skype had given the files improper permissions, meaning anyone, or any app, could access the unencrypted data contained within them.
The exploit preyed on accessing a folder within the Skype data directory, where Skype stores contacts, profiles, instant message logs, and other details in a number of sqlite3 databases.
“The most interesting file one can gain access to is main.db,” the report said.
“The accounts table in this database holds information such as account balance, full name, date of birth, city/state/country, home phone, office phone, cell phone, email addresses, your webpage, your bio, and more.”
According to Android Police, Skype has said it is investigating the weakness, while a number of responses criticised the site for exposing the vulnerability before Skype had prepared a fix.
Skype was unavailable for comment at the time of publication.