Be careful on Skype, Microsoft is reading your texts
Anyone who uses Skype, has agreed that Skype may also read their text messages too. Heise Security has found out that Microsoft, which bought Skype in 2011 for $8.5 billion, actually avails itself of this right. At the very least https URLs sent via the chat interface receive an unannounced visit from Redmond some time later.
Heise was alerted to this by a reader who pointed out that unusual network traffic was reported after a Skype chat with colleagues. The server logs pointed to a possible replay attack. As things turned out, a Redmond IP address had accessed the https URLs that had previously been sent. The Heise Security re-enacted the situation, sending each other URLs: one of the test https URLs contained login information; the other pointed to a private file sharing cloud service. A few hours after posting the team spotted the following in the the server log files:
65.52.100.214 - - [30/Apr/2013:19:28:32 +0200] "HEAD /.../login.html?user=tbtest&password=geheim HTTP/1.1"
Heise Security too had received a visit from an IP address registered to Microsoft. Some readers reported in the comments that Microsoft also monitors http URLs.
When challenged about this behaviour, the company asserted that messages are scanned to filter out links to spam and phishing pages. However, the facts do not support this assertion: spam and phishing sites don’t normally lurk behind https URLs and Skype didn’t touch those. Furthermore, Skype is sending out head requests, which only the server’s retrieve administration data. Skype would have to examine the content of pages to investigate web pages for spam or phishing.
Heise’s conclusion is that anyone who uses Skype must only agree that Microsoft can use all the data transferred almost as it feels inclined to do. It must be assumed that this actually occurs and that the company will not reveal exactly what it is doing with this data.
As far back as 2008, The H Online, Heise’s English language news site, had previously drawn attention to potential eavesdropping in Skype.
Anyone concerned about their privacy and the security of their own data is therefore advised to switch their communications to a client using the open source XMMP (formerly known as Jabber) protocol and free chat programs that support it.