Microsoft Reads Your Skype Chat Messages 275
An anonymous reader writes "A Microsoft server accesses URLs sent in Skype chat messages, even if they are HTTPS URLs and contain account information. A reader of Heise publications notified Heise Security (link to German website, Google translation). They replicated the observation by sending links via Skype, including one to a private file storage account, and found that these URLs are shortly after accessed from a Microsoft IP address. When confronted, Microsoft claimed that this is part of an effort to detect and filter spam and phishing URLs."
Re:Damned if they do... (Score:1, Interesting)
Skype used to have a reputation of using encrypted peer-to-peer transmissions. For this snooping to work, Skype has to route all messages through Microsoft, and any encryption must have a backdoor for Microsoft.
Re:Damned if they do... (Score:4, Interesting)
Not if you agree to it in the TOS.
Except those can *never* trump national law. If its illegal in law - no terms of service, agreement or contract can suddenly make it legal again.
they don't technically need to intercept it at their end... if the filtering list is built into the client, then they never intercept it anymore than they intercept your typing in order to send it...
Re:Damned if they do... (Score:4, Interesting)
We reserve the right to monitor our network for the purposes of would fly in most any country. In the EU privacy laws would probably prevent them from storing or distributing the information, but I'd think an automated scan of the linked URL would be fine. If it's not then everyone in the EU can look forward to a LOT more spam and malware since any hosted or cloud scanning technology is out.
I wonder... (Score:4, Interesting)
Is anybody else suddenly feeling a sense of curiosity about what sorts of vulnerabilities, if any, the program that Microsoft probes URLs sent over skype with may possess?
If TFA is accurate, you can make whatever software this is visit a URL just by skype-chatting it to somebody. What sort of security measures would they have in place for systems whose job it is to poke every last probably-malware link that goes across skype?
Hmmm ... (Score:5, Interesting)
So, as I fully expected, this whole campaign about users being "Scroogled" that Microsoft has been involved in is misdirection, and they do the same thing.
Wanna bet they also scrape your hotmail and everything else in the same way they accuse Google of doing?
Re:I wonder... (Score:5, Interesting)
It's no different than Google checking URL's for malware and warning you when you click a URL hosted on any of the Googleservices.
Also, this:
that makes no sense. First, why would HTTPS be some sort of exception? It's not like SSL'ing a website is all that difficult.
Second, why would you supposedly go through the trouble of using a 'secure' HTTP address if you are then going to pass in account credentials in the URL?
I know the whole communication is encrypted, but why would you pass "https://user:secret@www.supersecurebank.com/something?foo=bar" via a Skype message if it was really the intention to be secure ( putting aside the absurdity of leaving credentials in the URL ).
Long story short, this looks like Skype looking out for the 99% of the internet, and the 1% are crying foul. I'd rather every link my family sends each other via Skype be threat checked.
Denial of Service Potential? (Score:4, Interesting)
Re:Damned if they do... (Score:4, Interesting)
The key phrase is "private communications". If the TOS specifically state the communication is non-private, the laws regarding private communication may well not apply. The US government is currently taking the position that email and chat messages do not constitute private communication and hence do not require a warrant to monitor, do you really think the actual network providers will be held to a higher standard?
Re:Damned if they do... (Score:4, Interesting)
Nope. First, if you don't want your site open to the public, protect it. There is no indication that MS tried to get around any authentication methods or used false credentials to gain access to the site.
Second, robots.txt is a convention and nothing else. Nobody is required to abide by it, and there certainly is no law against ignoring it.
Third, the article said the requests came in 'several hours' after the messages were sent, so any one-time URLs should have already been used or expired.
Last, and most importantly, any questions of improper access would be strictly between MS and the web site owner, not some third party who happened to reference the URL. Granted, in some (very few) cases the web site owner and the third party can be the same person, but even then the person would have to be acting in the capacity of web site owner. not Skype user.
So no, they do not need the permission of the Skype user to access the URL.