Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

A Backdoor in Skype for Mac OS X

Trustwave recently reported a locally exploitable issue in the Skype Desktop API Mac OS-X which provides an API to local programs/plugins executing on the local machine. The API is formally known as the Desktop API (previously known as the Skype Public API – Application Programming Interface) and it enables third-party applications to communicate with Skype. As described in the Trustwave advisory, the issue is an authentication by-pass discovered in the API whereby a local program could by-pass authentication if they identified themselves as the program responsible for interfacing with the Desktop API on behalf of the Skype Dashboard widget program.

A Backdoor?

An interesting possibility is that this bug is the result of a backdoor entered into the Desktop API to permit a particular program written by the vendor to access the Desktop API without user interaction. Indeed, this possibility seems even more likely when you consider that the Desktop API provides for an undocumented client name identifier (namely "Skype Dashbd Wdgt Plugin").

Notifying the user of Desktop API through the backdoor works differently than the normal course of action which is to notify the user of an access attempt and prompt the user for permission. In the case of the backdoor no such notification attempt is made and as such the user is not given the opportunity to deny access. Furthermore, no mention is made in the "Manage API Clients" list. This allows any program accessing the Desktop API through the backdoor to remain hidden from the user.

Finally, no attempts are made to determine what programs that are accessing the Desktop API since they identify themselves as the undocumented client name identifier "Skype Dashbd Wdgt Plugin". This opens up the potential for abuse by third-party programs, including malware, running locally on the machine.

An unused backdoor?

Curiously, the actual Skype Dashboard widget does not seem to utilize the backdoor into the Skype Desktop API despite the name "Skype Dashbd Wdgt Plugin". This raises the possibility that the backdoor is the result of a development accident which left the code behind accidentally during the process of implementing the Dashboard plugin. If it was a coding accident, it is an old one. Our investigations have shown that the string "Skype Dashbd Wdgt Plugin" has been present in versions of Skype for Mac OS-X for some 5+ years.

Discontinued, but not forgotten

The Desktop API is being discontinued and gradually phased out of the Skype application across all platforms. However, the original Desktop API was text based and documentation can still be found thanks to the Wayback machine.

What can you access?

The Desktop API, in previous versions, permitted access to nearly everything that Skype can offer. This included, but was not limited to: notifications of incoming messages (and their contents), modifying messages and creating chat sessions, ability to log and record Skype call audio to disk and retrieve user contacts. In later versions of the Desktop API, access to text messages was dropped from the specification but access to other features remained.

How easy is the backdoor to use?

Accessing the backdoor is as easy as changing a single line of code in the numerous examples given by Skype themselves in how to use the Desktop API. A simple change to the 'clientApplicationName' NSString method (or CFString member variable if using the Carbon API), setting this value to "Skype Dashbd Wdgt Plugin" is all that is required.

The technical bit

Discovering the backdoor is a relatively trivial process, in fact this can be done with a simple call to the GNU utility 'strings', for instance:

8479_2b21ceb5-90c0-4df7-a49b-ff6d6d7a3396

You can obtain a source disassembly of the responsible function by utilizing Hopper to disassemble the Skype application binary, the results are shown below:

8313_2252bb74-8268-41fb-9df4-990568dea9ac

In the above image you can see that the member function 'authLevelForApplication:(NSString *)applicationName' of the object 'SkypeAPIController' returns 1 ('YES') if the value of 'applicationName' is equal to 'Skype Dashbd Wdgt Plugin'.

Versions of Skype prior to the Microsoft acquistion utilized one form or another of binary obfuscation/encryption where the binary dynamically unpacked itself upon execution. This is a typical technique to hamper efforts to extract information and reverse engineer the program. However, in general these techniques were trivial to by-pass by simply attaching a debugger and dumping the pages of memory containing executable code.

Latest SpiderLabs Blogs

Breakdown of Tycoon Phishing-as-a-Service System

Just weeks after Trustwave SpiderLabs reported on the Greatness phishing-as-a-service (PaaS) framework, SpiderLabs’ Email Security team is tracking another PaaS called Tycoon Group.

Read More

Physical Address Strangeness in Spam

Ten years ago, Congress passed the "CAN-SPAM Act" (also known as theYou-CAN-SPAM Act, since it defined legal spam and supersedes any stricter state-antispam laws). One of the provisions of the act is...

Read More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising

During an Advanced Continual Threat Hunt (ACTH) investigation that took place in early December 2023, Trustwave SpiderLabs discovered Ov3r_Stealer, an infostealer distributed using Facebook...

Read More