Skype Linux Reads Password and Firefox Profile

mrcgran writes "Users of Skype for Linux have just found out that it reads the files /etc/passwd, firefox profile, plugins, addons, etc, and many other unnecessary files in /etc. This fact was originally discovered by using AppArmor, but others have confirmed this fact using strace on versions 1.4.0.94 and 1.4.0.99. What is going on? This probably shows how important it is to use AppArmor in any closed-source application in Linux to restrict any undue access to your files."

I am not suprised

[figleaf]

We already knows that Skype records a lot of other information including your BIOS : http://www.pagetable.com/?p=27

Re:What a load of FUD

[11223]

Oh my God! ls -laF is looking at my .mozilla directory! In fact, it's looking at every file in my home directory! GNU binutils is teh spywarez! ... what do you mean, it's supposed to do that?

Re:Why..

[mikkelm]

Well, obviously it also only took one person to discover the same in a closed source application.

Of course it would be easier to see the hows and whys in an open source application, but once you know, you know, and that's really at the core of the matter.

Re:Why..

[optimus2861]

Imagine this had been an Open Source product for a minute... instead of an article just saying that it read /etc/ files, it would have said this part of the code reads the files, this is why it is necessary, or here is a patch to stop it from doing this.

Interesting you should say that - did you read the linked thread on the Skype forum? Here's a later post (emphasis added):

i was a bit curious and tried strace on a few internet/network programs. it seems programs like skype, gaim, and perhaps other chat software all look in /etc/ passwd

Pidgin nee Gaim is GPL. A quick search on one of its mailing lists shows no useful hits for /etc/passwd. A later comment on this thread shows that something as innocuous as an ls command will trigger reads of /etc/passwd. Sounds like this is being overblown.

1989 called...

[itsdapead]

They want their critical Unix vulnerability back.

Darn - all I have to do is cat /etc/passwd from a regular account... let's see... gee, the sysadmin on this machine is a dumbass - what sort of root password is "x"?

OMG its on Mac OS as well - the root password here is '*' - well, at least they've used a non-alphabetic character.

What's that you say Mr Sock... /etc/passwd is a public file and no security-conscious distro has actually stored passwords in there since the encryption was cracked (at least for dictionary words) sometime in the 80s?

Wake me up if Skype actually emails a readable copy of /etc/passwd to the black hats - even then, it shouldn't be enough to compromise a system (although a list of usernames might be handy).

Re:Er, maybe it's getpwent or getpwnam?

[jguthrie]

I seem to be able to confirm this. When I run skype, it does not read /etc/password, I expect because my user information is distributed using LDAP. Therefore, it instead connects to nscd.

Flawed logic

[Sycraft-fu]

First you assume that the person(s) that read it would catch anything evil in it. It's not like the evil code is necessairily going to be in a function called doEvil(), it could be very cleverly hidden among legit functions so that most people would miss it. With good obfuscation it wouldn't be hard to make something that people would have to play with a debugger just to figure out what is going on, and as such miss it on anything less than a really intense code audit.

Second, you assume the people who look at it aren't in on it. So maybe a couple people look at the code and find the evil bits. They contact the developer and ask what's up. The developer then lets them in to his cabal, who can use the evil bits for their own ends. The people decide they like this and don't tell anyone. The people who read the code have to be honest for this to work.

Third you assume that anyone other than the developer even bothers to look at the code. Not always a valid assumption, just because the code if you there doesn't mean anyone gives a shit. Maybe it is too complicated, maybe they just don't care, regardless the code being open is no guarantee that someone looked.

Fourth, you assume that the binaries are the same as the source. I'm betting at least some of the time, and probably more often than that, you install things from a binary package. It's easy and much faster than compiling everything. Great, but how do you know the source follows the binaries? It would be easy to release an untainted source, and then tainted binaries. That the checksums differed wouldn't be of any note, since it could just be that different compile options were used, or even a different compiler (for example using ICC since it generates more efficient binary code). As such no source audit would ever turn up the problems.

Finally, even if you compile your own, you assume that nothing else is in on it. I'll refer you to the classic Ken Thompson story http://cm.bell-labs.com/who/ken/trust.html. Some other program, and not just the compiler, could be in on inserting a trojan. It might never exist in source form, yet always get compiled in. Thus even a build from a verified source isn't a defense.

Really, what it comes down to is open source may give you a warm, fuzzy feeling but it isn't actually proof everything is on the level. Really, you have to test what the software actually does when it is run. You can't say "Well the source is open so it can't do anything evil," because you just don't know that. It's far more useful to analyze how the program acts on a system, than to look over the code.

After all, if looking at the code revealed everything, OSS would never have any bugs. You'd look at the code, see all the bugs, they'd all get fixed. Yet it does, nasty ones. My favourite is the BIND flaw discovered back around 2000 that was in essentially every version of BIND ever. Despite the fact that many people had looked at the code, nobody had ever noticed this. There was no ill intent, no conspiracy, it just wasn't something people saw.

As such the same could be done for something evil. Hide it well enough in the code, and nobody will notice it.

Re:Flawed logic

[SanityInAnarchy]

It's not like the evil code is necessairily going to be in a function called doEvil(), it could be very cleverly hidden among legit functions so that most people would miss it.

The more obfuscated it is, the more likely it is that the open source community would just rewrite that chunk of code for being too difficult to understand.

The challenge is not only to make it impossible to see what the code is doing, but to make it possible to think you know what the code is doing, and still miss what it's really doing. And at the end of the day, it has to spell out /etc/passwd in the code somewhere, or it has to have code that generates it, and it would take a LOT of work to write code which generates '/etc/passwd' while also never spelling it and looks innocent.

(Ditto for any other way you'd do this. There are standard library functions to access passwd, and those would be just as hard to hide.)

Second, you assume the people who look at it aren't in on it. So maybe a couple people look at the code and find the evil bits. They contact the developer and ask what's up. The developer then lets them in to his cabal, who can use the evil bits for their own ends. The people decide they like this and don't tell anyone.

You only need one whistleblower developer to end that charade. And that one whistleblower would bring in hundreds or thousands of developers who'd never bothered to look at the code, who would read it and say "Yep. Looks evil."

Compare that to proprietary software -- it takes someone actively trying to reverse-engineer the software in some way; here, running it in a restricted environment. Even once you have someone doing that, it can be a lot less trivial than "just look at the source" for someone else to verify it.

Third you assume that anyone other than the developer even bothers to look at the code. Not always a valid assumption, just because the code if you there doesn't mean anyone gives a shit. Maybe it is too complicated, maybe they just don't care, regardless the code being open is no guarantee that someone looked.

Well, this is Skype we're talking about. It's popular enough that someone would have looked.

Also, consider the person making such "evil" software -- would they really be ballsy enough to assume no one would read the source? True, there could be some open projects with "evil" code in them that nobody's bothered to read, but anyone doing that is taking the chance that someone, somewhere, would read it and discover what they're doing.

And then there's the question of what happens when they discover it. Like right now, no one has a clue why Skype would be reading passwd. We assume it's evil, but we don't really know. Were it open source, we could just go read the code, and instantly see if there's a legitimate reason. If there wasn't, we could patch the "evil" bits out and keep using Skype as if nothing happened.

Fourth, you assume that the binaries are the same as the source. I'm betting at least some of the time, and probably more often than that, you install things from a binary package. It's easy and much faster than compiling everything. Great, but how do you know the source follows the binaries? It would be easy to release an untainted source, and then tainted binaries.

As the sibling post says, in general, most distros compile from source. So if you trust Ubuntu, say, you don't have to trust a hypothetically open source Skype in this respect -- the Ubuntu people would have compiled it from source themselves, and cryptographically signed the binaries.

Some other program, and not just the compiler, could be in on inserting a trojan. It might never exist in source form, yet always get compiled in. Thus even a build from a verified source isn't a defense.

That kind of rules out it being Skype's fault, then, for

Skype may be NSA spyware

[mbkennel]

I have a modest suspicion that skype is more than it seems. I don't believe in 98% of conspiracy theories (like 9/11 'it was a inside job bomb' crap), but this one is not entirely crazy.

I do know that the Intelligence Community people in the US and elsewhere were very concerned about declining abilities to track and trace communications used by their targets, as compared to conventional telecom, where they have quasi-official backdoors installed directly with the telecom companies.

Notice the extraordinary anti-decompiling and self-modifying nature of the skype code---even manages to thwart many popular *hardware debuggers* and virtual machine strategies. The protocol itself is extremely obscure and apparently encrypted. I don't have a link but I think this can be easily verified, as I saw a presentation online which detailed some attempts to understand skype. This was not just good 'ordinary' hackers, but appeared to be the work of very serious and very professional full time computer security people, i.e. state-supported grey hats.

The level of self-security and the investment necessary to pursue this seems totally disproportionate to any commercial needs. This reflects a very serious investment of talent and money.

So why is it there?

But the really unusual fact to ponder is this: Why did eBay buy skype, and at such a high price?
It makes no sense commercially for skype or eBay. I believe the reason is simple: to bring skype development and download servers and most importantly connection servers under U.S. jurisdiction. Once it is so, the government can now (thanks to our now imperial enabling acts) simply order eBay/skype to put in spyware and order them to never talk about it. Most probably the government approached US companies with this proposal and shopped around until it found one who would say yes.

A financial analyst might see something funky in eBay financials if they were clever, there no doubt has to be some payment or other compensation to eBay.

Now the reason for the hypersecurity is clear---to mask whatever data are going *OUT* from skype and whatever it is installing. For some reason I have the suspicion that uninstalling won't completely uninstall quite everything.

There is probably some kind of Manchurian Daemon ability too---if They find somebody they really want to track. Why? Because it makes sense that they'd want to do so.

It's the 1990 Prodigy scare all over again

[14erCleaner]

This is like a blast of deja vu...in the early 1990's the ISP Prodigy was accused of stealing information from their users, based on bits of personal information that some users found in their cache files (due to the client using uninitialized disk space, reclaimed from previously deleted files by the OS). Much paranoia and very little enlightenment followed in online discussions. See e.g. http://en.wikipedia.org/wiki/Prodigy_(ISP)#Spyware -like_behavior

Re:The list

/home/*/.mozilla r, /home/*/.mozilla/plugins r, /home/*/.mozilla/firefox r,
No clue what it's looking for there.

My guess is: they are looking for http/https proxy definitions there.
Since there is no standard place on Linux to store this, they look into Firefox configuration files.

Your guess is just as good as mine, of course.

Re:Why..

[Tribbin]

So you really think that if the code was open source from the start this would not have been addressed earlier?

BTW, it makes me wonder what we don't know about Skype for Windows where you do not have as many tools for monitoring file-access and stuff.

Re:Shadow passwords FTW

[Not+The+Real+Me]

"True, but if your list of usernames leaks out it saves remote attackers having to try non-existent usernames in a dictionary attack..."

This is an excellent point that many of the flamers fail to understand. Yes, a local user account has read access to /etc/passwd, but a hacker looking to tap into a 0-day exploit does not. My guess about Skype is that they are harvesting usernames and selling those to spammers and/or providing those usernames to a government agency. In case anyone missed it, the U.S. government has been doing quite a bit of data mining since 9/11/2001 so being able to discretely grab all the usernames off of a computer would play into this.

Re:Shadow passwords FTW

[Xabraxas]

I just ran an strace on GoogleEarth and it also reads /etc/passwd. I'm not so worried though because /etc/passwd is shadowed, none of my passwords (user and root) have passwords that can be dictionary attacked, and my system will timeout after 3 failed password attempts. That doesn't mean I don't want to know why Skype is reading /etc/passwd, but I agree the title of this article is sensational.

Re:your a queer

[Opportunist]

There's nothing wrong with reading /etc/passwd.

Is there? Is there not? How should I know?

In an open source project, one could take the source and if it's FUD, debunk it immediately. Maybe there is a legit reason to read the passwd, maybe there is not. Do I know? No. Can I find out? No. It's closed source. I just know that it does. But what does it do with my passwords? Nobody knows but Skype's makers.

That's the core problem with closed source. I cannot trust it. Maybe it has a good reason to access the passwd file. But do you expect the best or worst? As a security expert, I expect the worst by default until proven wrong. Everything else is playing russian roulette with your system security. You can't just trust a program intrinsically until proven wrong, because when you're proven wrong, it usually is too late.