Skype is one of the most famous videos calling platform. Its Android app has a new vulnerability which allows criminals to access the contdacts, gallery, and even browser windows by bypassing Android’s phone passcode screen.
Florian Kunushevci, a bug hunter discovered this vulnerability and reported it to Microsoft. Explaining the flaw, he said that this flaw allows anyone possessing someone’s phone to receive a Skype call and answer it without unlocking the phone. Once the person picks up the call, they can go to the gallery, access contacts, type and send a message, and access the browser by clicking on the links sent in the message.
Such a flaw could allow cybercriminals to access a lot of private data on the phone without having to unlock it with the passcode. The flaw is demonstrated in the below shared on YouTube.
How was the flaw discovered?
The 19-year-old bug researcher from Kosovo, who is an everyday user of the Skype app, found a certain irregularity in how the app accessed local files while performing VoIP calls. This is what led him to investigate the matter further.
The researcher soon discovered that upon receiving and answering a Skype call, many phone application functions could be accessed without needing to unlock the phone.
Kunushevci further told The Register, “For the specific bug that I have found on Skype, it is more of a bad design and also a bug in coding. I think to put it all together, humans make mistakes.”
It is to be noted that this vulnerability affects Skype on all Android versions. All builds of the Skype app with a version number over 126.96.36.1996 for different Android versions include the patch for this bug. Meanwhile, Microsoft has not issued any official comment on the matter.
The researcher informed Microsoft of the bug in the Skype app and waited before going public until the issue was fixed in the version of Skype released on December 23, 2018.