Skype is a hugely popular communication tool. Indeed, Skype for Business is the most dominant workplace chat platform. So, to hear that Microsoft's app can be used to bypass a smartphone's lock screen and security to enter the device.
It seems the exploit only occurs on Android, allowing users to access a phone's system without needing a passcode. With access, anyone can see the device's photos, contacts, browse, and see onboard data.
Florian Kunuschevi discovered the flaw and reported it to Microsoft. Anyone with the phone in hand can receive a Skype call, answer it, and then access various areas of the device (photos, contact, messages, and browser) through sent links.
Kunuschevi described how he found the vulnerability:
“One day I got a feeling while using the app that there should be a need to check a part which seems to give me other options than it should. Then I had to change the way of thinking as a regular user into something that I can use for exploitation. For the specific bug that I have found on Skype, it is more of a bad design and also a bug in coding. I think to put it all together, humans make mistakes.”
Microsoft received the report during October and released a patch before making an official announcement. It seems the company will keep quiet on the situation, but at least it has been fixed.
Whose Fault is it Anyway?
Perhaps Microsoft's silence stems from the company not really thinking it is at fault. Sure, there was a coding error in Skype that has now been fixed. However, I can't help but ask myself the following question:
If an OS security can be bypassed by bad coding in a third-party app, isn't the OS simply not secure?
Shouldn't Android be more secure against bad coding in an app? It's an interesting thing to consider, not least because it suggests if Microsoft's apps can bypass a lockscreen through bad coding, then any app could do it.