30 Apr 2014

Skype Saves Users’ Data in Plain Text, Security Researchers Say

Popular voice calling service Skype has come under scrutiny recently by researchers who discovered the company leaves its local database unencrypted, potentially exposing users’ private information to cyber-attack.

Skype stores names, birthdays, phone numbers, contacts list, location details and even full conversations in plain text on users’ hard drives with no security measure, the Hackyard Security Group told the The Hacker News.

In the blog post, researchers showed that users’ account information, including phone numbers and city names, is easily available to anyone who gets access to an unprotected device. Therefore, a security flaw or malware infection could leave millions of Skype users vulnerable to identity theft.

“Call logs and private conversations are interesting enough for cyber-criminals, especially given that most businesses offer support via Skype, so business details may be mixed with personal chats. Any jealous spouse or script kiddie can patch together code to steal the file or social engineer a victim into sending it, then unpack its contents for their own use,” said Bogdan Botezatu, Senior E-Threat Analyst for Bitdefender.

A temporary fix consists of deleting main.db, the database file containing users’ details, each time after closing the application. Over the long term, hardware/disk encryption is a good proactive security measure, since it protects data even when the computer is off. This way, intruders can’t extract data using a USB stick or live CD.

To prevent data loss and other security hazards, users are also advised to keep their antivirus solution and installed software up-to-date, use a secure firewall and take caution when clicking suspicious links.