Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Skype 5.x.x Information Disclosure

🗓️ 13 Feb 2012 00:00:00Reported by Packet StormType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 22 Views

Skype 5.x.x Information Disclosure. Improper chat logs handling, allowing access despite "no history" option

Code
`Title:  
======  
Skype v. 5.x.x - information disclosure  
  
Date:  
=====  
2012-02-13  
  
Introduction:  
=============  
Skype is a proprietary voice-over-Internet Protocol service and  
software application.  
  
Abstract:  
=========  
We have discovered improper chat logs handling, which cause in logs  
accessibility even if user had enabled "no history" option in "Keep  
history for" settings or even destroy it manually with "Clear history"  
button.  
  
Report-Timeline:  
================  
2012-02-13: Public Disclosure  
  
Status:  
========  
Published  
  
Exploitation-Technique:  
=======================  
Local  
  
Severity:  
=========  
Low  
  
Details:  
========  
As mentioned in the Skype FAQ  
(https://support.skype.com/en-gb/faq/FA140/Managing-your-privacy-settings-Windows):  
"You can choose how long to keep your conversation history for, or  
delete it altogether.  
1. To change your history settings, in Skype from the menu bar click  
Skype > Privacy.  
2. Below Keep history for, click on the drop-down list and select the  
amount of time you would like your history to be saved for.  
Choose from forever, 3 months, 1 month, 2 weeks or no history at all.  
3. To delete your conversation history, click Clear history. This  
removes your entire history, including instant messages, calls,  
voicemails, text messages, sent and received files. If you delete your  
conversation history, you cannot recover it."  
  
This sounds safely, but in fact Skype stored all incoming and outgoing  
chat messages into local sqlite3 DB (file main.db, table Messages), in  
plain text. Even if "Keep history for"->"no history" option in  
Settings->Security is enabled, Skype write all your data into Messages  
table, but executes "delete * from Messages" after program exit. This  
command will destroy messages at logical level in DB, but in fact, in  
physical level all messages data stay alive (blocks in the DB file  
only marks as destroyed), and simply can be recovered even with text  
editor (as mentioned above, it is stored in plain text).  
  
Proof of Concept:  
=================  
In Windows XP, go to "C:\Documents and Settings\%user  
name%\Application Data\Skype\%Skype user name%" and open file main.db  
with text editor. All the ducks inside.  
  
Credits:  
========  
Anonymous  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
13 Feb 2012 00:00Current
7.4High risk
Vulners AI Score7.4
skypeinformation disclosureimproper chat logs
22