Misconceptions about Skype local database

Hi there guys. Recently I wrote an article with the name of “I didn’t know Skype stores your data in a local database without a password!. After publishing that article I got a lot of response from people like you and I came to know that it is not a vulnerability. It is so because the database is stored in the “appdata” directory which can only be accessed by the administrator which means that only an administrator account can open it. If you want someone else to use your computer just make a guest account which will restrict their level of access to the main directories only (this excludes the appdata directory). If you want to see your Skype logs then simply log in to your Skype account rather than going the complex way of accessing the local database.

However the tool (SkypeFreak) which I posted about in the previous post can be used as a post reconnaissance tool which means that if you hack into a computer then you can use the tool to access the Skype data without knowing the password.

At last I would like to apologize all of you about any misconceptions which my previous post might have made in your mind. You can safely discard those misconceptions as my mistake.

source: Previous post

One thought on “Misconceptions about Skype local database”

  1. Do not apologize that fast…

    The report is certainly not being explicit about this, but there is other things to have into account about data stored in plain-text/unencrypted-format (like sqlite).

    You should consider the scope of the data, the maximum duration of it, basic crypto algorithms to avoid untargeted attacks and other things that can be better secured…

    There is many BIG problems in Skype security design. It is not that other user accounts can access your data, but storing something in appdata is not a 100% safe way of doing security.

    Also, consider the domain for the link provided by your visitor. Microsoft is the current developer of Skype and it does not have a clear record of best security practices. I will not expect those in its own developers network.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s