Skype is better, but still problematic

My article on Skype exposing address books to the world has gone mini-viral. Written in 2017, it’s gotten dozens of citations in early 2019. A reporter approached me, asking if the problem still exists. After doing some research, here’s what I’ve found.

Microsoft’s article is incorrect (probably by accident)

Microsoft explains how People You May Know suggestions are generated in this article. At the time of this writing (February 14, 2019), the article is incomplete. The article claims you or the contact must both take action to be visible to each other through People You May Know. For example, you must add each other in your address books. Or you must exchange an invite and acceptance.

Microsoft doesn’t mention the problem case: mutual connections

The problem case exists, but is not listed here: if you have a mutual connection, then you’ll show up in each other’s People You May Know list. The mutual connection is someone who fits the you-both-take-action criteria.

So if Sam is connected to Ash, and Ash is connected to Stacy, then Sam and Stacy will show up in each others’ People You May Know list even though they’ve never taken any action with respect to each other.

Sam and Stacy will see each other without a direct connection

Deleting Still Doesn’t Solve The Problem

I deleted all my contacts. Skype is still suggesting dozens of people. I don’t know any of them. As mentioned on Microsoft’s list above, Skype remembered my past connections and is still suggesting their people to me. I don’t know any of these suggested people, but now I know one of my prior contacts knows them.

This no longer works for strangers, thank goodness

When I first found this issue (Dec 2017), I created a new test account. Browsing a stranger’s profile was enough to get suggestions of people with the same last name who looked the same (presumably family members). As of today (Feb 2019), it seems like Microsoft has reined this in a bit … from my very brief testing, it seems you need a common contact to start the suggestion engine.

I still consider this a security problem, though not as bad as it was before.

You can only figure out the contacts of someone you are or have been connected with. You can’t do it to a complete stranger, you need to have one contact—invite, connection, or chat—with them first. This isn’t as big a hurdle as you might think.

Journalists still shouldn’t use Skype

Journalists beware! If you’re a journalist, using Skype can compromise your sources. JournalistChris interviews source LittleSnitch on Skype. If JournalistChris later interviews source MafiaDon, MafiaDon will have LittleSnitch suggested as a contact. After all, they both have you as a mutual contact. If MafiaDon knows about this bug, then MafiaDon may agree to Skype with you precisely to see if LittleSnitch then shows up on MafiaDon’s People You May Know list. You really don’t want MafiaDon knowing you’ve been talking with LittleSnitch.

Even with strangers, you can get some information. When you browse random profiles, Skype will tell you how many mutual contacts you have. If you only have a few contacts in Skype, you can guess with some certainty who the mutual contact is.

if MafiaDon did your interview and then immediately looked up LittleSnitch‘s profile, MafiaDon would see that they have one mutual connection—you. That might be enough to tip off MafiaDon that LittleSnitch has been talking to the press.

Lawyers and Consultants, you beware too

The problem I outline for consultants and lawyers in my article remains. If you’re BankruptcyLawyer and you chat with MicrosoftCEO, then later chat with LogitechCEO, LogitechCEO will start seeing MicrosoftCEO as a suggested contact. LogitechCEO might even Skype with you deliberately to see who else gets suggested after the chat.

Indeed, you can imagine someone doing this very deliberately. If EvilBoy seriously wants to do research they could do this:

  1. EvilBoy creates a new skype account, live:innocent_journalist2
  2. EvilBoy approaches BankruptcyLawyer and says “I’m a journalist. I wish to interview you for an article. Connect to me on Skype as live:innocent_journalist2
  3. EvilBoy interviews BankruptcyLawyer
  4. Because BankruptcyLawyer is now the only contact in the live:innocent_journalist2 account, the People You May Know will suggest BankruptcyLawyer’s contacts to EvilBoy
  5. Furthermore, EvilBoy can now look up anyone’s profile on Skype and see if they have a mutual contact. If so, they know that person is in BankruptcyLawyer’s addressbook

This requires a concerted effort on the part of EvilBoy, and it also requires that BankruptcyLawyer add EvilBoy as a contact, accept a connection request from EvilBoy, or chat with EvilBoy at least once.

This Can Still Be Awkward Personally

This is still a problem. Let’s say Ashley uses Skype to meet people for online dating. Ashley might answer personal ads and chat with Syd and Alex. Ashley probably doesn’t want Syd and Alex to start showing up in each other’s contact lists. That could be awkward, especially if one (or both) of the relationships goes farther than a Skype chat. It seems like the privacy problems here are pretty evident.

In summary: the hurdle has risen since I wrote that article. Instead of being able to reverse engineer a stranger’s address book, you can only reverse engineer someone you’re connected to or have chatted with. Once. EvilBoy can still use Skype to work mischief, but now it takes a bit more work. For some people, this may still be too much of a privacy breach from a product that was founded on the premise of confidentiality.