Home Latest News Chrome Skype Extension Found by Researcher to be Leaking User Information

Chrome Skype Extension Found by Researcher to be Leaking User Information

by CISOCONNECT Bureau

Microsoft has fixed a security flaw in its Skype extension for Chrome that put millions of users’ account information at risk.

Wladimir Palant, a security researcher, discovered a “trivial” bug in the Skype-for-Chrome extension, which has nine million user installations, that allows websites to access information about user accounts that should typically be off-limits.

Palant told The Daily Swig “The privacy flaw is simple,”

“The extension leaks your Skype name to any website interested. Usernames and profile images can be freely retrieved by Skype name.”

The security vulnerability was found in the extension’s identity-tracking functionality, which could determine if a user was logged into a Microsoft account, according to the researcher.

Palant observed that the user identifier was executed in the extension’s content script. However, he noted that “in a content script context, sessionStorage is no longer extension’s storage, it’s the website’s. So the website can read it out trivially”.

Palant said he reported the flaw to Microsoft on December 1, 2021, along with a proof of concept, but received no reaction from the Microsoft’s security team.

In response to questions from The Daily Swig back in February, a Microsoft spokesperson said: “Microsoft has a customer commitment to investigate reported security issues and we will provide updates for impacted devices as soon as possible.”

The Skype extension received an update on February 24 as the researcher’s public disclosure deadline of March 1 drew nearer.

Palant said “After a lengthy period of communication silence, [Microsoft] finally published an update to resolve the issues,”

“The new release shares no functionality with the old extension and is essentially a completely new product. Hopefully this one will no longer be abandoned.”

Recommended for You

Recommended for You

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Close Read More

See Ads