Anyone who uses Skype instant messaging should be aware that parent company, Microsoft, is able and willing to read any message sent out.
Shortly after sending HTTPS URLs over the instant messaging service, those URLs received a viewing from headquarters in Redmond, WA, said researchers at heise Security in Germany.
A user informed heise Security he had observed some unusual network traffic following a Skype instant messaging conversation. The server indicated a potential replay attack. It turned out that an IP address which traced back to Microsoft had accessed the HTTPS URLs previously transmitted over Skype. Heise Security then reproduced the events by sending two test HTTPS URLs, one containing login information and one pointing to a private cloud-based file-sharing service. A few hours after their Skype messages, they observed the following in the server log:
184.108.40.206 – – [30/Apr/2013:19:28:32 +0200]
“HEAD /…/login.html?user=tbtest&password=geheim HTTP/1.1”
They too had received visits to each of the HTTPS URLs transmitted over Skype from an IP address registered to Microsoft in Redmond. URLs pointing to encrypted web pages frequently contain unique session data or other confidential information. HTTP URLs, by contrast, did not end up accessed. In visiting these pages, Microsoft made use of the login information and the specially created URL for a private cloud-based file-sharing service.
In response to an enquiry from heise Security, Skype referred them to a passage from its data protection policy:
“Skype may use automated scanning within Instant Messages and SMS to (a) identify suspected spam and/or (b) identify URLs that have been previously flagged as spam, fraud, or phishing links.”
A spokesman for the company confirmed it scans messages to filter out spam and phishing websites. This explanation does not appear to fit the facts, however. The catch is spam and phishing sites are not typically on HTTPS pages. By contrast, Skype leaves the more commonly affected HTTP URLs, containing no information on ownership, untouched. Skype also sends head requests which merely grabs administrative information relating to the server. To check a site for spam or phishing, Skype would need to examine its content.
Back in January, civil rights groups sent an open letter to Microsoft questioning the security of Skype communication since the takeover. The groups behind the letter, which included the Electronic Frontier Foundation and Reporters without Borders expressed concern the restructuring resulting from the takeover meant Skype would have to comply with U.S. laws on eavesdropping and would therefore have to permit government agencies and secret services to access Skype communications.