Chrome Skype Extension Flaw Threatened User Privacy

A serious security flaw in Microsoft’s Skype extension for Chrome browser risked users’ privacy. Thankfully, Microsoft fixed the vulnerability by rolling out an overhauled extension version for the users.

Microsoft Fixed The Chrome Skype Extension Privacy Flaw

Elaborating on the details via a blog post, researcher Wladimir Palant mentioned how a security flaw riddled the Skype Chrome extension.

Specifically, the Skype extension for Chrome was supposed to offer a direct means of starting Skype conversations within the browsers’ environment. In simple words, the extension would integrate the chat functionality to a website a user visits.

While the extension typically supported integration with certain websites only (like Gmail), it would continue working on other websites too. Thus, an adversary could easily know the user’s identity by exploiting the bug via any random website.

The attack only required the user to be signed in to a Microsoft account, whether it is an Outlook account, a Skype ID, or any other Microsoft platform. Then, for a signed-in user, the extension would expose users’ identity details stored in the extension’s session storage.

Describing the issue, the post reads,

In content script context sessionStorage is no longer extension’s storage, it’s the website’s. So the website can read it out trivially: console.log(sessionStorage["sxt-user"]);
This will produce an output like “8:live:.cid.0123456789abcdef.” And the part after “8:” is your Skype ID. That anybody can put into the Skype search to see your name and avatar.

In the case of a malicious website, the adversary could deceptively start a Skype conversation, spamming the user with messages. That’s because the conversation stealthily started from the user’s end, without him knowing.

Nonetheless, Microsoft fixed this matter in June 2021 by shutting down the api.scheduler.skype.com Skype server.

Moreover, Microsoft also addressed the bug thoroughly by releasing a new update entirely different from the previous ones. This includes ditching several functionalities, such as sharing website links with Skype contacts and calling from search results via the extension.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients