Skype for Macs has a long-standing backdoor

Microsoft's Skype software for Apple's macOS and OS X operating systems contains an application programming interface (API) that could be used to spy on user communications unnoticed, researchers have found.

Trustwave's SpiderLabs analysts discovered that the desktop API that lets third-party plugins and apps communicate with Skype can be used to easily bypass authentication.

Malicious third-party apps could bypass authentication by simply identifying themselves as the program responsible for interfacing with the desktop API, on behalf of the Skype dashboard widget plug-in.

All an attacker needs to do is change a text string in applications to the value "Skype Dashbd Wdgt Plugin", and the desktop API will provide access to sensitive Skype features.

Trustwave provided proof of concept Objective-C code that initiates a connection process without asking users for permission to attach to Skype:

Although later versions of the desktop API removed access to text messages, it still provides access to notifications of incoming messages and their contents, Trustwave said. 

The desktop API can also be used to modify messages, create chat sessions, and retrieve user contacts. Calls can be logged, and their audio recorded to the local system disk.

All versions of Skype for macOS/OS X - including the most recent 7.35 version - are vulnerable, Trustwave said.

Microsoft was notified of the flaw in October, and has patched the vulnerability in Skype 7.37 and later versions. 

The desktop API has been present in Skype for Mac for more than five years and it is gradually being phased out, the researchers said.

Trustwave speculated that the backdoor was inserted into Skype by accident, as the Skype dashboard widget doesn't appear to utilise it.

"This raises the possibility that the backdoor is the result of a development accident which left the code behind accidentally during the process of implementing the dashboard plugin," the researchers wrote.

Researcher Adam Boileau of Insomnia Security similarly said he doubted the bug was an intentional backdoor.

'It looks like another case of developers not thinking things through properly," Boileau told iTnews.

A Microsoft spokesperson said "we don’t build backdoors into our products, but we do continuously improve the product experience as well as product security and encourage customers to always upgrade to the latest version".