Back to list
Skype API Ap2Ap Stream Creation Flaw
Aug 18 2006 11:06PM
vizig0thblitz gmail com
Re: Skype API Ap2Ap Stream Creation Flaw
Aug 21 2006 08:28PM
Stephen Samuel (samnospam bcgreen com)
Other than the fact that this takes advantage of skype's built-in
encryption, I don't see how this is that much different than any other
network-capable application being built with backdoors and call-home
vizig0thblitz (at) gmail (dot) com [email concealed] wrote:
> An application-to-application stream can be created between two Skype clients without having established normal communications between them and both Skype client's contact lists are empty. With this ability any Skype enabled application can create a convert communication stream to a central server. This can only occur, of course, if the user voluntarily installs the application. Therefore, the main attack vector for this functionality is to create a legitimate Skype-enabled application, have the user install the application, and once the user starts the application make a covert connection to a central server. Once the connection to the central server is made, additional software can be downloaded and installed on the target computer via the application-to-application stream.
> Scenario Setup:
> The following will be needed to recreate the scenario:
> 1.Two computers with Skype installed and two separate Skype Ids that have had no communication between them.
> 2.A copy of SkypeTracer installed on each computer.
> Scenario Steps:
. . . . .
Stephen Samuel +1(778)861-7641 samnospam (at) bcgreen (dot) com [email concealed]
Powerful committed communication. Transformation touching
the jewel within each person and bringing it to light.
[ reply ]
Copyright 2010, SecurityFocus