May 16, 2013

Confirmed: Microsoft Visits Links You Send In Skype

I have independently verified The H's claim that Microsoft can read everything you send in Skype. Last night, me and a friend (@RedragonX) planned to have a fake conversation over Skype, discussing a nonexistent Internet Explorer 0day exploit (I figured we might as well trip some DHS keywords). Halfway through the conversation, I shared a URL.

Here's what we said:

 1 [9:36:33 PM] Winston Smith: Hey man
 2 [9:37:00 PM] RedragonX: hey, hat is up
 3 [9:37:07 PM] RedragonX: lol
 4 [9:37:13 PM] Winston Smith: i found an IE8 0day want it?
 5 [9:37:27 PM] RedragonX: hmm. ya right .....
 6 [9:37:34 PM] Winston Smith: seriously look her: https://defuse.ca/zvpebfbsg.htm
 7 [9:39:08 PM] RedragonX: u didnt bypass  aslr tho?
 8 [9:39:25 PM] Winston Smith: that's only part of it, i have a rop exploit, ill email the whole thing to you 1sec
 9 [9:39:34 PM] RedragonX: hmm  ok
10 [9:39:38 PM] RedragonX: ty
11 [9:40:17 PM] Winston Smith: np i gtg now but have a look at it and tell me what you think.. try running it on some of your bots to see how reliable it is plz
12 [9:40:22 PM] Winston Smith: ttyl
13 [9:40:46 PM] RedragonX: ttyl

This morning, I checked my logs and found this:

1 - - [15/May/2013:23:03:54 -0600] "HEAD /zvpebfbsg.htm HTTP/1.1" 200 3930 "-" "-"

Someone ran a HEAD query on the URL 1 hour and 26 minutes after I sent it through Skype. Running a reverse DNS on this IP reveals that it does indeed have something to do with Microsoft:

1 52.65.in-addr.arpa.     3600    IN      SOA     ns1.msft.net. msnhst.microsoft.com. 2013051301 1800 900 7200000 3600

This shows that Microsoft has the ability to read Skype messages, and the hour of delay between the sending of the URL and Microsoft's request shows that they are (at least) storing some messages for over an hour.

I am running Skype version (Linux). My friend is running Skype version 4.1 (Linux).

If you are looking for an alternative secure instant messaging service, I highly recommend using Pidgin with the Off-the-Record Messaging Plugin.