There was a bug in Skype that made it easy to bypass Android security. It’s the combination of bad design and a bug that made it possible to bypass Android’s locking screen by answering a Skype call.
That’s what nineteen-year-old bughunter Florian Kunushevci reports to The Register. The bughunter discovered the problem in the course of 2018 and reported it to Microsoft in October. That’s solved the bug since then. From version 8.15.0.416 the problem is completely over, but earlier versions of Skype still have it.
Childishly simple
The bug makes it possible to bypass the Android lock screen. This turns out to be childishly simple. If a phone is equipped with one of the older versions of Skype, all you need to do is call the phone. Then the person can pick up the call and the phone suddenly appears to be unlocked. It is possible to view photos, find contacts, send messages and open the browser.
It is not the case that the whole system will be open; it is the parts that are accessible via the Skype app. The browser in a phone can only be opened when a link within the Skype app is clicked. The vulnerability affects Skype on all versions of Android, suggests the bughunter.
According to Kunushevci, the problem ultimately comes down to a simple design flaw in the app, but also a small bug in the code. The bug I found in Skype is mainly bad design and a bug in the code. All in all, I think people just make mistakes, says the bughunter.
It is not known how long the vulnerability was in the app or whether it was exploited.
This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.