Microsoft doesn’t feel the bugs are important enough to fix immediately, although one researcher disagrees

Skype spoofing vulnerabilities are a haven for social engineering attacks

Several purported security flaws in Skype have been disclosed publicly, but Microsoft claims they do not need “immediate security servicing”.

On February 2, researcher “mr.d0x,” also known as “TheCyberSecurityTutor”, publicly disclosed a “plague” of spoofing vulnerabilities in the Microsoft-owned remote chat and video app.

The researcher first began examining Skype in the second week of January and quickly found that the application’s messaging functionality does not have adequate protection against tampering.

As a result, it is possible to spoof links, file names, file sizes, and shared contacts on thick clients, web sessions, and on mobile.

Content spoofing

According to the researcher, tampering is possible by sending content you want to spoof, intercepting subsequent requests, and forwarding with modified code – such as by modifying href and key attributes, as well as by intercepting spoofed content and changing values such as OriginalName, FileSize, and file extensions.

When it comes to spoofing shared contacts, this can be achieved by sharing a contact, intercepting the request, and modifying either the display name or username which will, in turn, be reflected to the recipient.

The researcher also accidentally uncovered a means to crash a conversation on thick and web clients. If “too many” tags are added to the content value, this will render a chat session unresponsive and “fully inaccessible” for both an attacker and victim.

Source: Skype ‘spoofing vulnerabilities’ are a haven for social engineering attacks, security researcher claims