Microsoft Reads Your Skype Chat Messages

← Back to Stories (view on slashdot.org)

Microsoft Reads Your Skype Chat Messages

Posted by timothy on Tuesday May 14, 2013 @03:30AM from the but-they-don't-enjoy-them dept.

An anonymous reader writes "A Microsoft server accesses URLs sent in Skype chat messages, even if they are HTTPS URLs and contain account information. A reader of Heise publications notified Heise Security (link to German website, Google translation). They replicated the observation by sending links via Skype, including one to a private file storage account, and found that these URLs are shortly after accessed from a Microsoft IP address. When confronted, Microsoft claimed that this is part of an effort to detect and filter spam and phishing URLs."

34 of 275 comments (clear)

Min score:

Reason:

Sort:

Damned if they do... by mystikkman · 2013-05-14 03:32 · Score: 4, Informative

"New Skype malware spreading at 2,000 clicks per hour to mine Bitcoins"
http://thenextweb.com/insider/2013/04/05/new-skype-malware-spreading-at-2000-clicks-per-hour-makes-money-by-using-victims-machines-to-mine-bitcoins/
And they try to prevent it by detecting malware and we get headlines like this. Looks like people are on a witch hunt here.
1. Re:Damned if they do... by afidel · 2013-05-14 03:36 · Score: 5, Insightful
  
  Not if you agree to it in the TOS.
  
  --
  There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
2. Re:Damned if they do... by Anonymous Coward · 2013-05-14 03:41 · Score: 4, Funny
  
  What does Skype have to do with ST:TOS?
3. Re:Damned if they do... by gl4ss · 2013-05-14 03:47 · Score: 3, Interesting
  
  Not if you agree to it in the TOS.
  Except those can *never* trump national law. If its illegal in law - no terms of service, agreement or contract can suddenly make it legal again.
  they don't technically need to intercept it at their end... if the filtering list is built into the client, then they never intercept it anymore than they intercept your typing in order to send it...
  
  --
  world was created 5 seconds before this post as it is.
4. Re:Damned if they do... by mu51c10rd · 2013-05-14 03:47 · Score: 5, Insightful
  
  Nobody else was dumb enough to click the link.
  You don't deal with many ordinary end users do you...
5. Re:Damned if they do... by Lazere · 2013-05-14 03:49 · Score: 4, Insightful
  
  But it's not illegal. The law makes it illegal to intercept those messages without warrant or permission. Wouldn't agreeing to the TOS be giving them permission?
6. Re:Damned if they do... by afidel · 2013-05-14 03:50 · Score: 3, Interesting
  
  We reserve the right to monitor our network for the purposes of would fly in most any country. In the EU privacy laws would probably prevent them from storing or distributing the information, but I'd think an automated scan of the linked URL would be fine. If it's not then everyone in the EU can look forward to a LOT more spam and malware since any hosted or cloud scanning technology is out.
  
  --
  There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
7. Re:Damned if they do... by Sqr(twg) · 2013-05-14 04:04 · Score: 5, Informative
  
  Those who care about keeping the contents of their IM conversations secret should not use Skype. As stated in their privacy policy "Skype may gather and use information about you, including (but not limited to) information in the following categories: ... (n) Content of instant messaging communications, voicemails, and video messages"
  The EFF recommends using Pidgin or Audium with OTR encryption enabled, for reasonably secure instant messaging.
  I'm glad the non-tech-savvy folks use Skype, though. If Microsoft weren't able to intercept these things, I'd have to clean out viruses from my in-laws' computers more often.
8. Re:Damned if they do... by interval1066 · 2013-05-14 04:09 · Score: 4, Informative
  
  (In the US) private entities don't need warrants. Warrants are a control on government. Microsoft can do whatever they want on communication channels they own. You don't have to use those channels of course.
  
  --
  Python: 'And then suddenly you have a language which says "we're all stuck with whatever the whiniest coder wants".'
9. Re:Damned if they do... by Sloppy · 2013-05-14 04:12 · Score: 5, Insightful
  
  Skype used to have a reputation of using encrypted peer-to-peer transmissions.
  That's funny. I remember their reputation always being "no one knows how the key exchange works and therefore nobody can trust it."
  "Encrypted" means jack shit. Skype never had a reputation for being secure because they never showed anyone that they are. With any serious VoIP protocol (e.g. zfone) they tell you how it works. If the design is a trade secret, then it's a scam. You've known that for decades.
  
  --
  As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
10. Re:Damned if they do... by Richard_at_work · 2013-05-14 04:13 · Score: 3, Informative
  
  Google must be fucked then, as they provide antispam and antimalware functionality in Gmail, and have done for almost a decade.
11. Re:Damned if they do... by Immerman · 2013-05-14 04:40 · Score: 3, Interesting
  
  The key phrase is "private communications". If the TOS specifically state the communication is non-private, the laws regarding private communication may well not apply. The US government is currently taking the position that email and chat messages do not constitute private communication and hence do not require a warrant to monitor, do you really think the actual network providers will be held to a higher standard?
  
  --
  --- Most topics have many sides worth arguing, allow me to take one opposite you.
12. Re:Damned if they do... by TheRaven64 · 2013-05-14 05:05 · Score: 3, Informative
  
  It's a distinction between a federated and a proprietary network. When you make a telephone call, your mobile operator may or may not be the responsible for the far end. They are selling you access to a world wide telephone network, parts of which are operated by many companies even within a single country. The rules for this network are defined in part by the ITU and in part by the national laws of the various participating countries. In most of the western world, these place limits on who is allowed to listen in to messages. In contrast, Microsoft is selling you access to a private network that is owned and operated entirely by them.
  The laws apply to federated networks because you may not have a direct business relationship with the carriers for a potentially large part. They do not need to apply for non-federated private services, because you have a direct business relationship with the supplier, in this case Microsoft.
  
  --
  I am TheRaven on Soylent News
13. Re:Damned if they do... by KingMotley · 2013-05-14 05:05 · Score: 5, Insightful
  
  Email spam filters are evil too! My ISP is reading my emails, OMG!
14. Re:Damned if they do... by bws111 · 2013-05-14 07:24 · Score: 3, Interesting
  
  Nope. First, if you don't want your site open to the public, protect it. There is no indication that MS tried to get around any authentication methods or used false credentials to gain access to the site.
  Second, robots.txt is a convention and nothing else. Nobody is required to abide by it, and there certainly is no law against ignoring it.
  Third, the article said the requests came in 'several hours' after the messages were sent, so any one-time URLs should have already been used or expired.
  Last, and most importantly, any questions of improper access would be strictly between MS and the web site owner, not some third party who happened to reference the URL. Granted, in some (very few) cases the web site owner and the third party can be the same person, but even then the person would have to be acting in the capacity of web site owner. not Skype user.
  So no, they do not need the permission of the Skype user to access the URL.
15. Re:Damned if they do... by caluml · 2013-05-14 09:18 · Score: 5, Insightful
  
  I once renamed shutdown.exe from the Windows resource kit to DONOTRUN.exe, and sent it in a mail round to the company (in the I love you/Melissa days), warning people in the subject, and message to NOT RUN THE ATTACHED attachment.
  People then started coming to me complaining they'd lost work because their computer had shutdown.
  It's amazing, it really is.
  
  --
  Get your own free personal location tracker
16. Re:Damned if they do... by andy_t_roo · 2013-05-14 10:11 · Score: 3, Insightful
  
  the other thing here is this only makes it clear that the link is "accessed" -- it's quite possible that the link is not persisted in any way. In that case this would just be an automated part of the message passing process, and not a record of the conversation.
  It depends on if skype is sending all chats, or just the links. It depends on if microsoft is archiving what it receives or just checking them for malware. As usual, more information is required to make an informed judgement on this issue.
Alternate headline by recoiledsnake · 2013-05-14 03:35 · Score: 4, Insightful

Alternate headline: Microsoft protects hundreds of millions of Skype users by going to the effort of checking even https URLs in chat for malware and spam

--
This space for rent.
1. Re:Alternate headline by Anonymous Coward · 2013-05-14 03:49 · Score: 5, Informative
  
  The problem with that, according to TFA, is that they only check https but not http. The latter being what malware sites use.
  Also, they are sending HEAD requests, not GET. They are only getting the headers, not the content, so have no way of knowing if there is malware at the URL.
2. Re:Alternate headline by bws111 · 2013-05-14 05:14 · Score: 4, Insightful
  
  Since you don't have any way to know exactly what they are doing, it is kind of silly to call that a 'problem'. Maybe they only do a HEAD because the response indicates authorization is required. Maybe they only visit a URL once, and already have visited the http site. Maybe they only do anything if something else triggers it (number of hits on a URL in a certain amount of time). You have no way of knowing that they only check https, you just know that in this particular case they only checked https. You have no way of knowing that that only get the headers, just that in this particular case they only got the headers.
This is news? by csumpi · 2013-05-14 03:36 · Score: 5, Insightful

AOL reads your messages. Google reads your messages. Facebook reads your messages. Apple reads your messages. Microsoft reads your messages.

How is this news? The price for free IM is that they read your messages and sell the info they gather to advertisers.
1. Re:This is news? by Anonymous Coward · 2013-05-14 03:49 · Score: 3, Informative
  
  Except not. As far as Microsoft has announced, they don't mine your messages for advertising's sake (if they did, their entire "Scroogled" campaign would be hugely hypocritical and I'm sure someone would have called them on it). This is exclusively scanning for a URL and matching against a database - they're not saving any information about your messages, especially if they don't contain a link.
  I'd say "take your FUD elsewhere", but this is Slashdot and a post about Microsoft...
2. Re:This is news? by Enderandrew · 2013-05-14 04:12 · Score: 4, Informative
  
  Except Microsoft does mine your email context to serve up contextual ads.
  http://www.nbcnews.com/technology/microsofts-new-outlook-mail-welcome-hotmail-replacement-917473
  They says theirs isn't as deep, so it respects your privacy more, but what it really means is that they're not as good at serving up contextual ads, but they're still scanning your email.
  
  --
  http://blindscribblings.com - Tasty pop-culture in conceptual fashion.
3. Re:This is news? by Enderandrew · 2013-05-14 04:15 · Score: 4, Informative
  
  http://rt.com/usa/yahoo-microsoft-campaign-political-862/
  Microsoft has been caught selling DATA to advertisers.
  And they have a patent specifically covering selling your personal private data to advertisers, allowing advertisers to bid on that data.
  http://www.bizjournals.com/seattle/blog/techflash/2010/02/gates_ozzie_other_microsoft_execs_patent_personal_data_mining.html
  It is only bad business if the media calls them out on it, which hasn't really happened. That is why Microsoft spends a small fortune on astroturfing, shifting the focus on Google for privacy concerns.
  
  --
  http://blindscribblings.com - Tasty pop-culture in conceptual fashion.
I wonder... by fuzzyfuzzyfungus · 2013-05-14 03:54 · Score: 3, Interesting

Is anybody else suddenly feeling a sense of curiosity about what sorts of vulnerabilities, if any, the program that Microsoft probes URLs sent over skype with may possess?
If TFA is accurate, you can make whatever software this is visit a URL just by skype-chatting it to somebody. What sort of security measures would they have in place for systems whose job it is to poke every last probably-malware link that goes across skype?
1. Re:I wonder... by malakai · 2013-05-14 04:03 · Score: 4, Interesting
  
  It's no different than Google checking URL's for malware and warning you when you click a URL hosted on any of the Googleservices.
  Also, this:
  
  even if they are HTTPS URLs and contain account information
  that makes no sense. First, why would HTTPS be some sort of exception? It's not like SSL'ing a website is all that difficult.
  Second, why would you supposedly go through the trouble of using a 'secure' HTTP address if you are then going to pass in account credentials in the URL?
  I know the whole communication is encrypted, but why would you pass "https://user:secret@www.supersecurebank.com/something?foo=bar" via a Skype message if it was really the intention to be secure ( putting aside the absurdity of leaving credentials in the URL ).
  Long story short, this looks like Skype looking out for the 99% of the internet, and the 1% are crying foul. I'd rather every link my family sends each other via Skype be threat checked.
  
  --
  -Malakai
  A Dragon Lives in my Garage
2. Re:I wonder... by gallondr00nk · 2013-05-14 04:11 · Score: 3, Insightful
  
  What sort of security measures would they have in place for systems whose job it is to poke every last probably-malware link that goes across skype?
  I bet they run Linux.
Hmmm ... by gstoddart · 2013-05-14 03:57 · Score: 4, Interesting

So, as I fully expected, this whole campaign about users being "Scroogled" that Microsoft has been involved in is misdirection, and they do the same thing.
Wanna bet they also scrape your hotmail and everything else in the same way they accuse Google of doing?

--
Lost at C:>. Found at C.
Re:Is there any way? by fuzzyfuzzyfungus · 2013-05-14 04:02 · Score: 4, Insightful

Both Facebook and Google's chats use bog standard XMPP (aka Jabber). Normal, clueless people use Facebook to chat. The few that don't use Facebook use the chat inside Gmail, or the one installed on their smartphone. Encryption over XMPP is very common; You'd need to use a non-standard client (say, Pidgin), but it's feasible.
The major problem is that encryption requires support at both ends:
Even a totally proprietary chat network(if it's been cracked open far enough that 3rd party clients exist, or 3rd-party wrappers around the first party client or libraries exist) can be used to send encrypted payloads; but only if both users are set up for that(Pidgin with OTR, say, works just fine over AOL's 'Oscar' protocol; but only if both ends are using it. This is the real killer. If you don't have control over what your clueless compatriot is using, none of the client-side encryption options are going to help you much. Not supported in Google's gmail web app window thing? No deal. Not supported by cellphone's default chat client? no deal.
You'll still probably get SSL, from all but the shittiest chat services; but that only protects you from people watching the wire, not from the service provider(who is the man in the middle, with one SSL-protected connection to you and a second to your chat compatriot).
Same with email: it's less common than it used to be for email to go between the client and the mailserver in the clear; but it's still damn rare for messages to be encrypted at the client end and thus safe from the mailserver operator.
Re:So much for the "MS cares for your privacy". by Enderandrew · 2013-05-14 04:09 · Score: 4, Informative

https://www.eff.org/who-has-your-back-2013
Microsoft is extremely hypocritical in their claims of privacy protection, and their attacks on Google.

--
http://blindscribblings.com - Tasty pop-culture in conceptual fashion.
Denial of Service Potential? by duplo1 · 2013-05-14 04:12 · Score: 3, Interesting

Hopefully MS does some dupe checking on their end, otherwise this could amount to a DoS attack. Imagine spamming out the victim's URL to hundreds of thousands of Skype users and then MS flooding that URL with requests.
Re:...Not that unexpected, and not that big a deal by xeio87 · 2013-05-14 04:16 · Score: 3, Informative

How would you even propose they filter spam links without a basic request? Do they blacklist all URL shorteners, or do you just let all spam that uses URL shorteners to go through?
Totally plausible by Kimomaru · 2013-05-14 04:19 · Score: 3

I do not like to defend Microsoft, but I can see this as being the case. Skype's got quite a bit of problems with Messenger Spam, this may be a mechanism to review them.

By the way, if privacy is your problem, you're not fixing it by using someone else's infrustructure. You should expect, by default, that they're going through your information. Build your own server or forever hold your peace.
Re:Problems with closed sorce by MiG82au · 2013-05-14 04:38 · Score: 3, Informative

Not if both sides use the OTR plugin that comes with Pidgin.