I awoke yesterday morning to mail from PhoneBoy telling me that iSkoot is passing passwords in the clear, unencrypted. He put a packet-trace on his WiFi router, and used the Nokia N95 to access iSkoot via WiFi rather than the way it is more usually accessed which is over the air. This morning he has also provided a dump of the session to prove to the network geeks out there that his assertion is correct.
iSkoot should take note and encrypt that channel. That goes without saying. It’s an exploitable flaw.
In the meantime, I’m not worrying about it too much. The vulnerability occurs when using iSkoot from a WiFi enabled phone (not too many of those out there, although we’d all like to see more), and when your password is being passed to the system. In order to exploit it, a hacker would have to crack the encryption on your WiFi router, and sniff your password out of the air at the point in time you were logging in.
The biggest issue I see is that so many people use the same password on every site. If someone were to discover your Skype password this way, you might lose whatever balance you have on your SkypeOut account, but more importanly they might also be able to compromise the security on other sites – say your bank – if you habitually reuse your password as many people do.
If you own a WiFi enabled phone and use iSkoot via WiFi:
- Don’t use the WiFi at a public access point.
- Or, if you must use iSkoot at a public access point, change the password on your Skype account to something that you don’t use anywhere else.
Perhaps the most peculiar aspect of this was Mark Jacobstein’s denial, in the comments on PhoneBoy’s blog, that passwords are being sent in the clear. I hope to see iSkoot publicly acknowledge the issue and commit to a very fast timeline to get a fix in. If they let this issue linger, it has the potential to damage the business that they have worked so hard to build with carriers. That would be a shame.