Pengguna Skype, harap berhati-hati..

Worm bisa menunggang utk nyolong password.. hati-hati yaa...

Vulnerabilities of the Skype API

With
a landmark of six million concurrent online users set last month,
Skype’s active user base is growing quickly. With many worms now
targeting other IM platforms, it looks to be only a matter of time
before Skype becomes targeted as an infection vector. The presence of
functionally strong features in the Skype API makes it a prime target
for malicious code.

Towards the end of last year, Skype
introduced a programming API with the intention of fostering a growing
development community. Applications providing useful add-ons to Skype
functionality and many hardware interfaces had been springing up over
the previous months. Hoping to make development for these programmers
less painful, introduce new add-ons to the product, and ultimately
increase their market share in the face of the threats from Google Talk
and Yahoo IM talk services, the Skype API was launched to capitalize on
developer interest.

The Skype API allowed for stand-alone applications to communicate
directly with a running Skype process by way of Windows Messaging. The
Skype API is split into two components: the Skype Phone API and the
Skype Access API. The Phone API provides an interface to connecting
devices such as USB phones. For our purposes, the Skype Access API is
of much more interest.

The Skype Access API enables external applications to control
certain Skype functions; for example, to place a call or to get a Skype
user profile. As you can imagine, this makes the API a very powerful
tool, so what’s stopping people using these features for malicious
intent? Well, in this instance the Skype API explains that “In the
interests of privacy and security, before an external application can
take control, Skype pops up the name of the application to the user and
asks if it is OK to allow access.” So, when an application attempts to
make its connection to Skype, the user is presented with a pop-up
window with the default “allow” option selected. However, a user can
bypass authorisation by programmatically clicking “OK,” often barely
noticing the window’s presence or the information provided.



Once connected to Skype by the API, attackers have access to all the
key information related to the application. They can iterate through
the contact list, saving information about each address book entry.
They can view call and chat histories, place calls and start chat
sessions and, conveniently, transfer files.

Skype has some security measures in place to prevent the spread of
malware over their network. To send a file to a user, you must first be
authorized by that user. This is indeed a good idea, and to bypass it
attackers must revert to old-school social engineering. For example,
messages sent from someone on your buddy list asking you to check out
the latest Internet game. Messages from Skype_Admin_23124512 telling
you to install the latest patch. Messages from someone with an
attractive profile picture or Web site.

Another interesting feature of the Skype API is mapping sound input
and output to and from files. We can set up a virtual audio cable to
place a call, play a pre-recorded sound file, and hang up. This can be
used by telemarketers or be used for social engineering before sending
a file.

Many of the above means of abuse are inherent due to the commonly
encountered communication messages requesting user input. Risks can be
decreased using techniques like time-delayed "OK" boxes, but ultimately
not completely eradicated. Users need to remember to use patience when
installing and using Skype or any other software. They should ensure
that they pay particular attention to the implications of installing
add-ons to an existing application, as the risks may outweigh the
benefits of the particular feature they are hoping to use. Remember to
read and understand the notices that are displayed by the Skype API
before you click “OK”; this will give you the opportunity to reassess
any security concerns.