Design flaw in the Android version of Skype app allows you to unlock the phone without a password
A bug hunter has discovered a vulnerability in Microsoft’s Android version of Skype app that can be exploited to access several app functions without entering passcode authentication to unlock the phone.
Kosovo-based bug-hunter Florian Kunushevci, who discovered the vulnerability, demonstrated the bypass in a YouTube video (see below). The video shows that anyone in possession of someone’s phone to receive a Skype call, can answer it without unlocking the handset.
Once the person answers the call, he or she can then view photos, access contacts, send a message, and access the browser by clicking on the links sent in the message. All these actions can be carried out without the need to unlock the phone.
Kunushevci, who is an everyday user of the Skype for Android app, discovered that there was something wrong the way in which the app accessed local files on the handset while performing VoIP calls.
“One day I got a feeling while using the app that there should be a need to check a part which seems to give me other options than it should,” he explained to The Register. “Then I had to change the way of thinking as a regular user into something that I can use for exploitation.”
The researcher discovered that when a Skype call is answered, several phone application functions like photo-sharing and contact look-ups could be accessed regardless of whether the phone was locked or not. In other words, the vulnerability allows anyone to access the photo and contact feature without confirming if the person using the handset was authenticated.
Just like multiple iOS flaws found in the system over the years, this vulnerability is due to a slight oversight in system’s security. Kunushevci said, “For the specific bug that I have found on Skype, it is more of a bad design and also a bug in coding. I think to put it all together, humans make mistakes.”
Kunushevci reported the security flaw to Microsoft in October before disclosing it to the public. Apparently, the vulnerability was corrected in the version of Skype released on December 23, 2018, which is safe to use.
It is suggested that users install or upgrade to the latest version of Skype for Android app for better security, as this vulnerability affects Skype on all Android versions. Please note that the patch for this bug is included in all the Skype app builds with a version number over 126.96.36.1996 for different Android versions.
Microsoft has yet to issue an official statement on the matter.