Tuesday, October 6, 2015

Skype, stop sending (hashed) usernames in clear text

I suspect that experienced users may find this article to be less newsworthy, but I’ll point out the fact anyway: Skype for Desktop has a long history of sending persistent user identifiers in clear text.  The situation may be less worrying than the case of Microsoft accounts and CIDs, but it should be stopped nevertheless.


As shown in the screenshot above, when checking for updates at startup—using plain HTTP—Skype for Desktop includes a parameter called “uhash” whose value is, presumably, a hashed username.  Indeed, its value seems to be account-specific and invariant under changes of session, password, client version, and operating system version.

There doesn’t seem to be a publicly accessible mechanism that maps “uhash” values to Skype usernames.  (Although we don’t know if there is one available to government agencies.)  Nor do we know how to calculate a “uhash” value from a Skype username.  (And we don’t know who knows it, either, except for Skype themselves.)  (The “uhash” values that I saw have 33 (not 32) hexadecimal characters.)  We do know, however, that Skype for Desktop has been sending “uhash” for a long time: in fact, it was mentioned in a 2005 Masters degree thesis (although the “uhash” there had just 32 characters and the Skype version was 1.0.0.20).

It seems unreasonable to include a user identifier when checking for software updates, in clear text.  In fact, “uhash” only adds to the pile of “strong selectors” for resourceful government agencies to track users.

Skype should stop sending user identifiers, even if pseudonymous, in clear text.

No comments:

Post a Comment