Good find. I think it should also be possible to disable the "delete *" command with triggers, as a nice way to backdoor the database (almost non intrusive compared with installing rogue plugins, and the user isn't likely to ever find out).
On Mon, Feb 13, 2012 at 11:25 AM, Osama Bin Error <[email protected]> wrote: > Title: > ====== > Skype v. 5.x.x - information disclosure > > Date: > ===== > 2012-02-13 > > Introduction: > ============= > Skype is a proprietary voice-over-Internet Protocol service and > software application. > > Abstract: > ========= > We have discovered improper chat logs handling, which cause in logs > accessibility even if user had enabled "no history" option in "Keep > history for" settings or even destroy it manually with "Clear history" > button. > > Report-Timeline: > ================ > 2012-02-13: Public Disclosure > > Status: > ======== > Published > > Exploitation-Technique: > ======================= > Local > > Severity: > ========= > Low > > Details: > ======== > As mentioned in the Skype FAQ > (https://support.skype.com/en-gb/faq/FA140/Managing-your-privacy-settings-Windows): > "You can choose how long to keep your conversation history for, or > delete it altogether. > 1. To change your history settings, in Skype from the menu bar click > Skype > Privacy. > 2. Below Keep history for, click on the drop-down list and select the > amount of time you would like your history to be saved for. > Choose from forever, 3 months, 1 month, 2 weeks or no history at all. > 3. To delete your conversation history, click Clear history. This > removes your entire history, including instant messages, calls, > voicemails, text messages, sent and received files. If you delete your > conversation history, you cannot recover it." > > This sounds safely, but in fact Skype stored all incoming and outgoing > chat messages into local sqlite3 DB (file main.db, table Messages), in > plain text. Even if "Keep history for"->"no history" option in > Settings->Security is enabled, Skype write all your data into Messages > table, but executes "delete * from Messages" after program exit. This > command will destroy messages at logical level in DB, but in fact, in > physical level all messages data stay alive (blocks in the DB file > only marks as destroyed), and simply can be recovered even with text > editor (as mentioned above, it is stored in plain text). > > Proof of Concept: > ================= > In Windows XP, go to "C:\Documents and Settings\%user > name%\Application Data\Skype\%Skype user name%" and open file main.db > with text editor. All the ducks inside. > > Credits: > ======== > Anonymous > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
