Skype for Android Lets Local Users Obtain Potentially Sensitive Information
|
|
SecurityTracker Alert ID: 1025387 |
|
SecurityTracker URL: http://securitytracker.com/id/1025387
|
|
CVE Reference:
CVE-2011-1717
(Links to External Site)
|
Date: Apr 19 2011
|
Impact:
Disclosure of system information, Disclosure of user information
|
Vendor Confirmed: Yes Exploit Included: Yes
|
|
Description:
A vulnerability was reported in Skype for Android. A local user can obtain potentially sensitive information.
The Skype application stores potentially sensitive information in sqlite3 databases with world readable permissions. An application on the device can access the Skype username, account balance, full name, date of birth, city/state/country, home phone, office phone, cell phone, email addresses, webpage address, bio, contact list, instant message logs, and other information.
The original advisory is available at:
http://www.androidpolice.com/2011/04/14/exclusive-vulnerability-in-skype-for-android-is-exposing-your-name-phone-number-chat-logs-and-a-lot-more/
Justin Case reported this vulnerability.
|
Impact:
A local user can obtain potentially sensitive information.
|
Solution:
No solution was available at the time of this entry.
The vendor is working on a fix.
The vendor's advisory is available at:
http://blogs.skype.com/security/2011/04/privacy_vulnerability_in_skype.html
|
Vendor URL: blogs.skype.com/security/2011/04/privacy_vulnerability_in_skype.html (Links to External Site)
|
Cause:
Access control error
|
Underlying OS:
Android
|
|
Message History:
None.
|
Source Message Contents
|
Date: Tue, 19 Apr 2011 05:45:29 +0000
Subject: Skype
|
http://blogs.skype.com/security/2011/04/privacy_vulnerability_in_skype.html
http://www.androidpolice.com/2011/04/14/exclusive-vulnerability-in-skype-for-android-is-exposing-your-name-phone-number-chat-logs-and-a-lot-more/
CVE-2011-1717
|
|
