In the official Skype app for Mac has a security vulnerability that allows to obtain virtually complete access to the application without authorization. According to experts Securitylab, the vulnerability exists at least since 2010 and could affect roughly 30 million Mac users.
Apparently, backdoor in the code of the Skype Desktop API was accidentally created by one of the developers of Skype before the company was acquired by Microsoft. The flaw allows an attacker to record audio calls, retrieve contact information of the users to read incoming messages, create new chat conversations, edit messages and carry out other malicious activities.
Skype Desktop API allows third party applications to communicate with Skype. Under normal conditions a third-party application must provide credentials, however, researchers at Trustwave found that the authentication procedure can be circumvented.
Presumably, the backdoor was created in order to provide older versions of Skype Dashboard Widget access Desktop API without user interaction. This possibility seems quite plausible, since the Desktop API provides an undocumented client ID (Skype Dashbd Wdgt Plugin).
According to the researchers, applications can gain unauthorized access to the Desktop API when using “Skype Plugin Dashbd Wdgt” as the client ID.
According to experts, the widget does not use the backdoor to access the Desktop API. “It is possible that a backdoor is a result of developer errors, which I forgot to fix while working on the implementation of the widget. Most likely, in the past, the backdoor has been used for some time, but then it ceased to operate and just left,” say the researchers.