Skype May No Longer Be Secure

By PatB
Contributing Writer, [GAS]

MSN, Yahoo IM and AIM all use clear text in the chat discussions, which means anyone along the path of communication can read what it is you are typing,  including your boss if you use chat at work.  Many people, including myself, use Skype as an IM chat client because it has strong encryption built in. A system admin monitoring the network can still tell you are using Skype, but no one can read what you typed into the chat box.  Until now.

Ebay’s Chinese partner, Tom Group, has been distributing a version of Skype, with permission, to its Chinese users.  Tom’s version of Skype has been trojanized by the Chinese communist government to capture certain conversations that contain keywords that the government considers to be subversive.  Those chat sessions, which includes usernames, IP addresses and a record of all phone calls made over Skype, are packaged and sent encrypted to several webservers owned by Tom Group for retrieval by Chicom agents.

Quite simply, this means, if you use Skype and are chatting unknowingly to someone using this Tom-Skype version, and you use a profanity or a banned keyword, the entire chat session gets archived by the Chi-coms, along with the Skype-out phone records of the Tom-Skype user.

With thanks to Steinnon, the details are here at infowar-monitor.net:

The most damaging information concerns the log files that record call information and the content filter logs that contain full text chat messages. The call information logs date from August 2007 and contain a record of the IP addresses and usernames of all those that participated in voice calls as well as the username and/or phone number of the recipient of the call.

The content filter logs dating from August 2008 contain similar identifying information as well as the full content of the logged text messages. These messages contain sensitive information including email addresses, passwords, phone numbers, package tracking numbers and bank card numbers.

As mentioned above, the information is stored encrypted on several webservers at Tom Group.  But the webserver stores the logs in a publicly accessible directory, and politely includes the decryption code on the server so anyone can download the messages and decrypt them.  So not only do the Chicoms know about your chat sessions, lots of hackers and identity thieves probably do too.

Ebay, owner of Skype, should immeditately terminate their partnership with Tom Group for allowing their customers to have their privacy violated and should immediately issue a new version that is incompatible with the Tom Group version of Skype.