Skype Privacy Concern: It sends detected numbers + URLs to its server!

Default installation of the Skype installs Skype Add-On (Plug-In) on the browsers. After that, if you browse a page, most of the telephone numbers will be detected.

For example:

And look at this if you currently have installed a Skype on your computer: 0044-7987654321

Now the problem is: Skype always sends all of these selected numbers to one of its servers “pnrws.skype.com”. The worst thing is that they are actually sending the page URL in “referrer” section of the header as well. As a result, Skype server can log all of this information with IP address of the user to track a user or to identify a person. And the question is why Skype needs this information?

For proof of concept, I will put a phone number in a Facebook page and monitor the HTTP requests by using Fiddler. The result has been shown in the following images (if you cannot see the images, your ISP has been blocked by GoDaddy):

Facebook page:

In Fiddler:

As you can see, my Facebook URL and the phone number are sent to the Skype server.

However, I think number detection of Skype Add-On does not send more important information such as credit card numbers!

Now, if you are a bit concern about your privacy, just disable the Skype Add-Ons (Plug-Ins) in your browsers.

Please let us know if you know how Skype uses this information and why Skype needs this information.

How Secunia PSI put the privacy in danger

“The Secunia PSI software is a free security tool designed to detect vulnerable and out-dated programs.” Although this application is very useful to secure a computer by keeping it up to date, unfortunately it will put the user’s or company’s privacy in danger. Based on the latest post in the following URL, user’s information “is never passed on with personally identifiable information (such as the usernames in path names)”:

http://secunia.com/community/forum/thread/show/4951/secunia_psi_how_to_delete_information

 I want to prove that the Secunia PSI actually passes the following information which can be treated as a confidential data for a company or causes privacy issues for a real person:

1- Domain Name or Workgroup Name (“langgourp”)

2- Computer Name (“hostname”)

3- Username (as there are special files on “Application Data” directory such as Mozilla Firefox “extensions” folder which should be listed by using Secunia PSI)

4- List of directories of the hard disk which contain some special name with extensions such as “exe”, “dll”, “ocx”, and so on. Some of these directories can contain important information such as the personal names, project names, company names, and so on.

My proof is very simple and you can do it yourself. As Secunia PSI is based on a Web Application, all of its messages to its server can be monitored by using Fiddler HTTP Debugging Proxy which is absolutely free: http://www.fiddler2.com/Fiddler2/version.asp

Now follow these steps:

- Scanning the computer once by using the Secunia PSI (If it is the first time)

- Close the Secunia PSI application completely from the task manager

- Open Fiddler and go to “Tools”> “Fiddler Options”> “HTTPS”> and select “Decrypt HTTPS traffic” option and click on “OK”

- Now, open Secnuia PSI application again

- Monitor its behavior by using Fiddler. If there isn’t anything on Fiddler, click on “Start Scan” button of Secunia PSI to scan your computer.

- Now, look at the responses from the Secunia server. As you can see there are information of your computer in responses which means the Secunia server has stored them on its database.

For example, look at the following images (if you cannot see the images, your ISP has been blocked by GoDaddy):

Now, my recommendation for Secunia is to use a local database on each computer to keep location of files and folders private. The only thing that should be passed to the server is the user ID, signature (hash) of the application, and file or application ID which can be linked to the database in order to find the exact place of that files and/or folders on the local computer. Moreover, I cannot understand why it needs to send the Domain/Workgroup Name and the Computer name to its server (maybe it is used for copyright!).

My suggestion to the users: Currently – 1st Dec. 2010 -, using Secunia PSI for those people who want to be anonymous and those companies which want to keep all of their information private is a nightmare and this application should be removed. Ask Secunia to fix this issue.

Hope to see a better Secunia PSI soon.