This allows any program accessing the Desktop API through the backdoor to remain hidden from the user.įinally, no attempts are made to determine what programs that are accessing the Desktop API since they identify themselves as the undocumented client name identifier "Skype Dashbd Wdgt Plugin". Furthermore, no mention is made in the "Manage API Clients" list. In the case of the backdoor no such notification attempt is made and as such the user is not given the opportunity to deny access.
Notifying the user of Desktop API through the backdoor works differently than the normal course of action which is to notify the user of an access attempt and prompt the user for permission. Indeed, this possibility seems even more likely when you consider that the Desktop API provides for an undocumented client name identifier (namely "Skype Dashbd Wdgt Plugin"). As described in the Trustwave advisory, the issue is an authentication by-pass discovered in the API whereby a local program could by-pass authentication if they identified themselves as the program responsible for interfacing with the Desktop API on behalf of the Skype Dashboard widget program.Īn interesting possibility is that this bug is the result of a backdoor entered into the Desktop API to permit a particular program written by the vendor to access the Desktop API without user interaction. The API is formally known as the Desktop API (previously known as the Skype Public API – Application Programming Interface) and it enables third-party applications to communicate with Skype.
SKYPE FOR MAC MAC
Trustwave recently reported a locally exploitable issue in the Skype Desktop API Mac OS-X which provides an API to local programs/plugins executing on the local machine.
0 kommentar(er)
