Answering a call in Skype allows to take control of a locked android.

Specialists in cybersecurity of the International Institute of Cybersecurity report the finding of a vulnerability in the android version of Skype, which could be exploited to omit the entry of the access code on a Android device to access the documents, contacts or even open the device’s browser.

Florian Kunushevci, a bounty hunter expert in cybersecurity, said that this vulnerability would allow the people in possesion of the smartphone to receive skype calls, answer them without unlocking the device, and even access the photos, search in the contact list, send text messages and even open the browser if there’s a message with a link. Anyone could exploit this vulnerability, being the family, friends or unknown people. The error has already been reported to microsoft.

Kunushevci, a young investigator from Kosovo, declares to be a regular user of Skype for Android. It was during its regular use that he detected a strange behaviour in the application related the way that it accesses to the data stored in the smartphone. Finding this out, the investigator decided to begin a little ethic hacking project to discover what happened to the Skype’s service.

“Recently, while i was using the app, i had the need of cheking an option that, apparently, gave more permission that it should”, said the young expert in cybersecurity.

Kunushevci discovered that, when u answer a call in Skype, the app keeps its normal operation, allowing actions like the access to the telephone data or the contact list, ignoring if the telephone was locked or not when the call was received.

Similar as multiple errors found in the iOs system, this vulnerability is caused thanks to a carelessness in the system’s security. In this case, Skype allows the users to access to other functions ignoring any aditional verification steps. “I think that this vulnerability is more like a error in the design”, said the expert.

Before publishing any report of this vulnerability, Kunushevci informed of this error to Microsoft. Waiting for the company to release an update to correct this error. According to the cybersecurty experts’ reports, the error would have been corrected in the Skype’s update the 23th of the last December. The error affects every version of Skype for Android, according to Kunushevci. However, the vulnerability’s range seems to vary according to the operating system’s version.

Despite being only 19 years old, Kunushevci states to have some years of experience in this kind of subjects. He said that his interest in this kind of things began since the age of 12, when he was looking for solutions to the common errors in his PC. 2 years later, he was already focusing in the field of investigation involving the vulnerabilities, accessing to some rewards for his reports.


Deja un comentario