Menu Close Menu

Skype Users Beware of Security Concern

Xibis’ Technical Director, Ian Newson, today came across quite a serious security flaw in Microsoft’s messaging service Skype

We were surprised to find that Skype uses a locally stored unencrypted database to store details of previous chat sessions – and that this database is preserved even if you log out from Skype. 

I won’t advise against using Skype, but I will advise that you need to be aware of the security concerns:

  • Your network administrator will be able to see all of your messages by downloading the database across the network.
  • Anyone with access to your PC will be able to see your messages even if you are not logged into Skype.
  • If you log onto Skype on another machine and log off again, anyone with access to that machine will be able to read some of your historical messages – even if they weren’t sent from that PC.
  • Messages that you see on Skype may have been created directly in the database by a malicious user.

You can easily see this problem for yourself. On Windows, this database is saved within the user’s folder at:
  C:\Users\[username]\AppData\Roaming\Skype\[skype username]\main.db

You can then view the file with a free SQL Lite database browser tool

Don't log in using another person's PC

We wondered if the local database stored historical messages not sent from that machine, so I asked another user to log in on my PC, then immediately log out again. The Skype application automatically downloaded recent messages and stored them in the SQL Lite database.

If you do need to use another user’s PC for Skype, make sure you fully delete the main.db database afterwards – and don’t forget that even then the deleted file can be retrieved!

Spoof Messages

We also tested to see if we could create spoof messages. Using an admin account from across a network, we edited the Skype database to insert a message, seemingly from a trusted colleague, asking for a password. When Skype was re-opened, the message appears as if sent by the user. It’s easy to see how dangerous this could be.

Below you can see some old chat messages that I was able to retrieve after I had been logged out of Skype for several weeks.

 

More from the blog

Oadby Owls Presentation Evening 2019

Xibis are sponsors of the Oadby Owl U8 team and were proud to be part of the seasons presentation evening on the 18th May 2019 at Leicester Racecourse

Xibis Climbing Evening

A fun and physically challenging evening climbing session for those Xibis staff brave enough to dare at the Climbing Station in Loughborough

ESF Events - App Suite Launch

ESF Events have recently launched a suite of smartphone apps developed by Xibis. There are three apps for each platform and are dedicated to major brands: Tigers Challenge (Rugby Union), Rhinos Challenge (Rugby League) and ESF Festival of Football

Get in touch

Xibis Limited, 67 London Road,
Oadby, Leicester LE2 5DN

Or call us on

0116 272 9990