www.h-online.com
Anyone who uses Skype has consented to the company reading everything they write.
The H's
associates in Germany at heise Security have now discovered that the
Microsoft subsidiary does in fact make use of this privilege in
practice. Shortly after sending HTTPS URLs over the instant messaging
service, those URLs receive an unannounced visit from Microsoft HQ in
Redmond.
A reader informed heise Security that he had observed some unusual
network traffic following a Skype instant messaging conversation. The
server indicated a potential replay attack. It turned out that an IP
address which traced back to Microsoft had accessed the HTTPS URLs
previously transmitted over Skype. Heise Security then reproduced the
events by sending two test HTTPS URLs, one containing login information
and one pointing to a private cloud-based file-sharing service. A few
hours after their Skype messages, they observed the following in the
server log:
65.52.100.214 - - [30/Apr/2013:19:28:32 +0200]
"HEAD /.../login.html?user=tbtest&password=geheim HTTP/1.1"
They too had received visits to each of the HTTPS URLs transmitted
over Skype from an IP address registered to Microsoft in Redmond. URLs
pointing to encrypted web pages frequently contain unique session data
or other confidential information. HTTP URLs, by contrast, were not
accessed. In visiting these pages, Microsoft made use of both the login
information and the specially created URL for a private cloud-based
file-sharing service.
In response to an enquiry from heise Security, Skype referred them to a passage from its
data protection policy:
"Skype may use automated scanning within Instant Messages and
SMS to (a) identify suspected spam and/or (b) identify URLs that have
been previously flagged as spam, fraud, or phishing links."
A spokesman for the company confirmed that it scans messages to
filter out spam and phishing websites. This explanation does not appear
to fit the facts, however. Spam and phishing sites are not usually
found on HTTPS pages. By contrast, Skype leaves the more commonly
affected HTTP URLs, containing no information on ownership, untouched.
Skype also sends
head requests
which merely fetches administrative information relating to the server.
To check a site for spam or phishing, Skype would need to examine its
content.
Back in January, civil rights groups sent
an open letter
to Microsoft questioning the security of Skype communication since the
takeover. The groups behind the letter, which included the
Electronic Frontier Foundation and
Reporters without Borders
expressed concern that the restructuring resulting from the takeover
meant that Skype would have to comply with US laws on eavesdropping and
would therefore have to permit government agencies and secret services
to access Skype communications.
In summary,
The H and heise Security believe that,
having consented to Microsoft using all data transmitted over the
service pretty much however it likes, all Skype users should assume
that this will actually happen and that the company is not going to
reveal what exactly it gets up to with this data.
