Feature, Bug or Just a Huge Security Risk? Skype for Business, Examined

save
Share and earn Cybytes
Facebook Twitter Google+ LinkedIn Email

Here at Heimdal Security, we spread our time between providing security tools to prevent serious attacks like ransomware or next-gen malware and providing the education necessary to keep personal data safe across various platforms and devices.

Sometimes, it becomes obvious that tools and education alone won’t keep users truly safe online, nor will they enforce their privacy. Sometimes, ubiquitous, extremely popular services release some features that truly boggle the mind. Skype for Business is one.

This week, we discovered a serious security risk and privacy breach with the Skype for Business app. It was not related to hacking and other cyber-attacks but a pure “feature”, whose purpose and value we haven’t yet been able to decipher.

If you do a Skype for Business call with “screen-sharing” turned on, be prepared to share more than what you wanted.

Once the person who started screen-sharing hangs up, the desktop-sharing function will continue. The people at the other end of the line will still see what’s happening there.

If the person who had hosted the session does not notice the tiny warning at the top, they will continue sharing whatever they’re doing on the screen. Spreadsheets with sensitive financial data, inbox contents, private messages on Facebook, all of them will be seen by the other person.

Had a cybercriminal participated in a conversation like this, they would have had a field day with the info obtained. In some areas, a competitor could do seriously damage with how much information they are able to see.

We thought that we had stumbled upon a serious security flaw. Imagine our surprise when, after a few seconds of Googling the issue and thinking about contacting Microsoft, we came across this thread. No, screen sharing after ending a call is a “feature, not a bug”. Never mind the fact that a regular Skype user first calls someone to start a meeting, then opens a presentation, then closes the call and assumes that the entire interaction ended.

Why would someone possibly want for their screen to still be visible to the other person, even though the dialogue ended? Even if, by chance, that was the case, the tiny ribbon that lets you know screen-sharing has such an unobtrusive design, a regular user will definitely miss it. For such a security-sensitive feature, you’d think neon colors were in order. Certainly, a pleasant design should not be the only priority for Skype for Business.

After all, the people using it do have plenty of sensitive information that should not leak.

Here is what the caller who initiated screen-sharing can see once he/she hangs up.

skype for business screen share issue

Here is what’s visible to the ones that just left that call. Spoiler: it’s everything the initial caller is currently doing.

skype for business share screen issue

And, finally, this is the placement of the ribbon that was designed to let the user know their screen is still being broadcast. It’s almost black, on top of a browser bar of the same color. If someone had a secondary display and they were to continue working on the screen with the Skype for Business window, it would have been almost impossible to spot that message.

skype for business screen sharing issue

What’s worse is that this is something that’s been signaled plenty of times.

Microsoft’s response? “It’s an expected behavior,” said a customer representative. He followed that an invitation to “vote for this feedback” at another link. And a recommendation to “close the Skype for Business chat window to end Skype call and screen sharing at the same time.”

Yes, the official suggestion is to close the entire window, not press the button that’s for ending the call.

Give it a bit more time, and instead of customer support signaling a bad UI design (user interface) and the developers fixing it, someone will tell you to put a sticker on your webcam if you want to stop broadcasting. This is not to mention what a huge GDPR infringement this Skype for Business bug is. Some experts point out that even sharing usernames in unencrypted communications or on screens can be against the General Data Protection Regulation.

 

Microsoft is not alone in this and could probably pin this one on miscommunication, not bad intentions.

What users have to do is to secure their device with the essential security layers and remain updated with current news, so they can act swiftly and protect themselves and their valuable data.

Heimdal Official logo

If you liked this post, you will enjoy our newsletter.
Receive new articles directly in your inbox

The post Feature, Bug or Just a Huge Security Risk? Skype for Business, Examined appeared first on Heimdal Security Blog.

Share this post and earn Cybytes
Facebook Twitter Google+ LinkedIn Email
Follow
128 Followers
About Heimdal Security
We protect users and companies from cyber-criminal actions, by keeping confidential information and intellectual property safe. We build products focused on proactive cyber security and we dedicate a big part of our efforts to cyber security education for everyone.
Promoted Content
Expert Roundup: Is Internet Security a Losing Battle?
A while ago, one of our readers asked us to answer the following questions: Is Internet security a losing battle? How come companies are always 1-2 steps behind the fight? How can the bad guys respond so fast?That reader is certainly not the only one with this issue on his mind. Many Internet users feel discouraged by the current state of cyber crime and its consequences, and the rest don’t yet understand why they should care about it. We wanted to do something to change this.Naturally, users like you and me are not the only ones who wrestle this dilemma. Within the industry, cyber security experts are deeply involved in studying the causes and changes which have brought us to this point so they can create better solutions. Each of these experts brings a different perspective to the discussion, because no single person can ever claim to have the full picture.That is why we reached out to some of the most experienced cyber security specialists in the field to gather their thoughts on the topic. We believe that the questions we received are justified and they deserve an honest answer. And you will find plenty of them in the article!

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel