Microsoft 'found to make requests' to URLs shared via Skype

Posted by   Virus Bulletin on   May 14, 2013

HEAD requests likely used to determine landing page.

Is Microsoft checking all the links you share via Skype? German online magazine Heise thinks so.

A reader of security magazine Heise discovered that all URLs sent via Skype chat received a request from an IP address that was registered with Microsoft (which bought Skype in 2011). Heise managed to verify this claim and found that even URLs that included (fake) login credentials and were sent over HTTPS received such requests.

When asked about this by Heise, a spokesperson for Skype pointed to its privacy policy, which states that automatic scanning may take place to detect spam sent over the service. The magazine says the facts speak against Skype, for the requests are HEAD requests, which only ask for the server to send the HTTP headers, as opposed to the common GET requests, which ask for the full web page and which would be needed to scan its content.

However, I have to side with Skype here. A problem with URLs - especially those used for malicious purposes - is that many of them redirect to another URL, usually on another domain. The common use of URL shorteners, as well as compromised websites, for this purpose means that checking a URL against a blacklist is not always an effective way to block malicious URLs. And that's what HEAD requests are used for: one or more of them can determine the landing page without the need to request the full web pages.

Of course, requesting the full pages would give Skype insight into the actual content of these pages, which would make it more effective at blocking spam. But doing so would also infringe the users' privacy - and thus I think they have made the correct decision here.

Sure, if you believe that mere knowledge of the existence of a URL would infringe your privacy (and there are certainly circumstances where this may be the case) this is a problem - but in such cases, sharing it using a third-party system is probably not a good idea in the first place. The inclusion of credentials in URLs, even if they are sent via HTTPS, is not common, and rather bad practice.

Heise's article can be found here (in German).

Posted on 14 May 2013 by Martijn Grooten


spam scam url skype


Latest posts:

New paper: Collector-stealer: a Russian origin credential and information extractor

In a new paper, F5 researchers Aditya K Sood and Rohit Chaturvedi present a 360 analysis of Collector-stealer, a Russian-origin credential and information extractor.

VB2021 localhost videos available on YouTube

VB has made all VB2021 localhost presentations available on the VB YouTube channel, so you can now watch - and share - any part of the conference freely and without registration.

VB2021 localhost is over, but the content is still available to view!

VB2021 localhost - VB's second virtual conference - took place last week, but you can still watch all the presentations.

VB2021 localhost call for last-minute papers

The call for last-minute papers for VB2021 localhost is now open. Submit before 20 August to have your paper considered for one of the slots reserved for 'hot' research!

New article: Run your malicious VBA macros anywhere!

Kurt Natvig explains how he recompiled malicious VBA macro code to valid harmless Python 3.x code.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.