Xibis’ Technical Director, Ian Newson, today came across quite a serious security flaw in Microsoft’s messaging service Skype
We were surprised to find that Skype uses a locally stored unencrypted database to store details of previous chat sessions – and that this database is preserved even if you log out from Skype.
I won’t advise against using Skype, but I will advise that you need to be aware of the security concerns:
- Your network administrator will be able to see all of your messages by downloading the database across the network.
- Anyone with access to your PC will be able to see your messages even if you are not logged into Skype.
- If you log onto Skype on another machine and log off again, anyone with access to that machine will be able to read some of your historical messages – even if they weren’t sent from that PC.
- Messages that you see on Skype may have been created directly in the database by a malicious user.
You can easily see this problem for yourself. On Windows, this database is saved within the user’s folder at:
You can then view the file with a free SQL Lite database browser tool.
Don't log in using another person's PC
We wondered if the local database stored historical messages not sent from that machine, so I asked another user to log in on my PC, then immediately log out again. The Skype application automatically downloaded recent messages and stored them in the SQL Lite database.
If you do need to use another user’s PC for Skype, make sure you fully delete the main.db database afterwards – and don’t forget that even then the deleted file can be retrieved!
We also tested to see if we could create spoof messages. Using an admin account from across a network, we edited the Skype database to insert a message, seemingly from a trusted colleague, asking for a password. When Skype was re-opened, the message appears as if sent by the user. It’s easy to see how dangerous this could be.
Below you can see some old chat messages that I was able to retrieve after I had been logged out of Skype for several weeks.