347-878-3837

skype

Here are articles on skype

Skype is better, but still problematic

, , ,

My article on Skype exposing address books to the world has gone mini-viral. Written in 2017, it’s gotten dozens of citations in early 2019. A reporter approached me, asking if the problem still exists. After doing some research, here’s what I’ve found.

Microsoft’s article is incorrect (probably by accident)

Microsoft explains how People You May Know suggestions are generated in this article. At the time of this writing (February 14, 2019), the article is incomplete. The article claims you or the contact must both take action to be visible to each other through People You May Know. For example, you must add each other in your address books. Or you must exchange an invite and acceptance.

Microsoft doesn’t mention the problem case: mutual connections

The problem case exists, but is not listed here: if you have a mutual connection, then you’ll show up in each other’s People You May Know list. The mutual connection is someone who fits the you-both-take-action criteria.

So if Sam is connected to Ash, and Ash is connected to Stacy, then Sam and Stacy will show up in each others’ People You May Know list even though they’ve never taken any action with respect to each other.

Sam and Stacy will see each other without a direct connection

Deleting Still Doesn’t Solve The Problem

I deleted all my contacts. Skype is still suggesting dozens of people. I don’t know any of them. As mentioned on Microsoft’s list above, Skype remembered my past connections and is still suggesting their people to me. I don’t know any of these suggested people, but now I know one of my prior contacts knows them.

This no longer works for strangers, thank goodness

When I first found this issue (Dec 2017), I created a new test account. Browsing a stranger’s profile was enough to get suggestions of people with the same last name who looked the same (presumably family members). As of today (Feb 2019), it seems like Microsoft has reined this in a bit … from my very brief testing, it seems you need a common contact to start the suggestion engine.

I still consider this a security problem, though not as bad as it was before.

You can only figure out the contacts of someone you are or have been connected with. You can’t do it to a complete stranger, you need to have one contact—invite, connection, or chat—with them first. This isn’t as big a hurdle as you might think.

Journalists still shouldn’t use Skype

Journalists beware! If you’re a journalist, using Skype can compromise your sources. JournalistChris interviews source LittleSnitch on Skype. If JournalistChris later interviews source MafiaDon, MafiaDon will have LittleSnitch suggested as a contact. After all, they both have you as a mutual contact. If MafiaDon knows about this bug, then MafiaDon may agree to Skype with you precisely to see if LittleSnitch then shows up on MafiaDon’s People You May Know list. You really don’t want MafiaDon knowing you’ve been talking with LittleSnitch.

Even with strangers, you can get some information. When you browse random profiles, Skype will tell you how many mutual contacts you have. If you only have a few contacts in Skype, you can guess with some certainty who the mutual contact is.

if MafiaDon did your interview and then immediately looked up LittleSnitch‘s profile, MafiaDon would see that they have one mutual connection—you. That might be enough to tip off MafiaDon that LittleSnitch has been talking to the press.

Lawyers and Consultants, you beware too

The problem I outline for consultants and lawyers in my article remains. If you’re BankruptcyLawyer and you chat with MicrosoftCEO, then later chat with LogitechCEO, LogitechCEO will start seeing MicrosoftCEO as a suggested contact. LogitechCEO might even Skype with you deliberately to see who else gets suggested after the chat.

Indeed, you can imagine someone doing this very deliberately. If EvilBoy seriously wants to do research they could do this:

  1. EvilBoy creates a new skype account, live:innocent_journalist2
  2. EvilBoy approaches BankruptcyLawyer and says “I’m a journalist. I wish to interview you for an article. Connect to me on Skype as live:innocent_journalist2
  3. EvilBoy interviews BankruptcyLawyer
  4. Because BankruptcyLawyer is now the only contact in the live:innocent_journalist2 account, the People You May Know will suggest BankruptcyLawyer’s contacts to EvilBoy
  5. Furthermore, EvilBoy can now look up anyone’s profile on Skype and see if they have a mutual contact. If so, they know that person is in BankruptcyLawyer’s addressbook

This requires a concerted effort on the part of EvilBoy, and it also requires that BankruptcyLawyer add EvilBoy as a contact, accept a connection request from EvilBoy, or chat with EvilBoy at least once.

This Can Still Be Awkward Personally

This is still a problem. Let’s say Ashley uses Skype to meet people for online dating. Ashley might answer personal ads and chat with Syd and Alex. Ashley probably doesn’t want Syd and Alex to start showing up in each other’s contact lists. That could be awkward, especially if one (or both) of the relationships goes farther than a Skype chat. It seems like the privacy problems here are pretty evident.

In summary: the hurdle has risen since I wrote that article. Instead of being able to reverse engineer a stranger’s address book, you can only reverse engineer someone you’re connected to or have chatted with. Once. EvilBoy can still use Skype to work mischief, but now it takes a bit more work. For some people, this may still be too much of a privacy breach from a product that was founded on the premise of confidentiality.


Safety warning: if you use Skype, your contacts may now be exposed

, ,

UPDATE: February 14, 2019: Since writing this article in late 2017, Microsoft seems to have made a change that makes it a bit harder to reverse engineer someone’s address book, but most of the problem remains. You can read my update on how Skype still exposes your contacts in problematic ways.

A quick public service announcement for anyone who uses Skype. Executives, VCs, journalists, researchers, and anyone who cares about the privacy of their contact list should read this.

I don’t usually post about computer security, but in this case, it seemed quite serious. It’s also the kind of thing we’re used to from Facebook and LinkedIn. But it could have very serious consequences, since people use Skype differently from those social platforms. People use social media with an expectation of public transparency, while many use Skype with an expectation of privacy.

As of a couple of days ago, the new Skype tells other people how many contacts you have in common. It also offers your contacts as potential new contacts to everyone else in your contact book. This is a surprisingly serious privacy breach.

This means if you use Skype for anything where your contact list is sensitive (conference calls with clients, planning a protest over the skyrocketing price of kitty litter, coordinating your monthly meeting of people relax by knitting exciting underwear), your contacts can quite possibly deduce who other contacts are. Furthermore, if they know about this new “feature,” they can make some smart deductions.

For example, you’re a mergers & acquisitions consultant. You are in talks with MergeMe, Inc. A prospect from WeMergeToo calls you. Immediately after you accept their contact request, they start seeing suggestions that they might know the MergeMe Inc CEO. They don’t, but they know they just connected to you —> they can quickly figure out MergeMe Inc is talking with you also.

I also just discovered I can look up a profile of someone I don’t know (they’re neither a contact nor a friend), log out and back in, and Skype will start suggesting their contacts to me as potential contacts of my own. (I can tell because those contacts have the same last name, physical resemblance, etc.) So this can be used by stalkers, bullies, harassers, and people who wish to research someone and learn who they know.

(This feature can be used for much more targeted research. I won’t go into details here. Suffice to say that you can get pretty specific.)

Microsoft’s support page says they’re considering changing this behavior someday. Of course, by that time, much damage will have been done.

I went through and deleted some of my contacts by hand this morning (it takes forever… in a triumph of “good for Microsoft, bad for the user” they make it super easy for you to give them your social graph, and super hard for you to take it back). Even deleted, Skype kept suggesting prior contacts to me. That suggests that they continue to keep that data — and probably call history and chat history as well — for use in “helpfully” building their social graph.

Important note: deleting your contact book isn’t enough. If your associates have you in their contact book, someone can still use the same mechanism to figure out the connection.

My reaction was to cancel my Skype account altogether. But because Microsoft cares so much about me, the best I can do is schedule it to be closed in 60 days. So for the next 60 days, like it or not, my contacts are going to continue to be exposed.

See: the Microsoft Skype support article

Also note Danida_U’s response from Microsoft: there’s no way to disable this short of opting out from being contactable at all. And no, there are no plans to remove the “feature.” They want to make it easier for friends and family to find you. My suggestion: if you want your friends and family to find you, tell them your Skype ID. Problem solved.

I recommend http://zoom.us or http://appear.in as alternatives that don’t “help” you by exposing your contacts to the world.