SkypeSkrayping Part 1

Being that it is now known that the US electrical grid can be electronically breached, SSC will be displaying how easy it is to for attackers to access communication systems as well. Today will include Skype, a popular proprietary Voice-Over-Internet-Protocol (VOIP) system that enables little to no-cost calling using the Internet. We demonstrate that the weaknesses exist between the integration of the Web and standard telephony features. This includes Skype-Out, Skype-In, and Skype-Voicemail. We were able to demonstrate that a targeted attack could permit incoming call hijacking (leading to eavesdropping and call log monitoring), as well as outbound calls and voicemail access. The attack vector exists using Cross-Site Request Forgery. Although Skype does not maintain "logged-in" browser sessions as long of a duration as Amazon, Hulu or Netflix, with the right attack vector, given it's popularity, phishers could use this type of attack to successfully perform "SkypeSkrayping".