While it was, admittedly, not very nice of me to hand iSkoot a zero-day exploit publicly, on a weekend no less, there was a note on the iSkoot blog today explaining what happened and giving me credit for finding it. I realized my mistake shortly after I made the story public. And to be honest, I should know better, given that I work for a vendor and actually deal with security issues.

There is an ongoing debate among security researches on the subject of full disclosure versus responsible disclosure. Now having fully experienced both sides of the issue, I was conflicted over the weekend. Did I do the right thing in disclosing this publicly before talking to iSkoot about it?

On one hand, spreading the information publicly without going to the vendor first gives end users a heads up that they are at risk. On the other hand, the bad guys now know that this problem exists and can start looking for ways to exploit. But how do we know they didn't already know about this and weren't already using this information for their own personal gain?

On the other hand, had I held onto the information and talked with the vendor first, people wouldn't have panicked unnecessarily and hackers wouldn't have had access to the information needlessly. Of course, then it's possible the time to resolution could have taken longer than it did, putting people's Skype sessions needlessly at risk.

I don't think there's a "right" answer to this, personally, as even minds smarter than me can't agree on this topic. I think everyone involved understood my intentions were good, even though some could argue I should have done this differently. In the future, if I run into another zero-day exploit, I hope to keep this experience in mind.

iSkoot claims they'll have a new version out and pushed to users by Wednesday. Looking forward to seeing it for myself and verifying that I see SSL in those packet traces. ;)

Looks like iSkoot made a mistake with their Nokia S60 client and will make it right. Apparently a non-production version of the S60 client made it to the public web, which sends data in the clear. Other published versions of their client on other platforms are unaffected.

iSkoot CEO Mark Jacobstein says the existing S60 build will be pulled. The bug will be fixed and a forced upgrade to a patched version will be pushed.

Thanks to Andy Abramson and Jim Courtney for their behind-the-scenes help with this. Update: Forgot to thank Dan York as well, who helped despite spending the weekend driving a U-Haul. :)

Dan York asked for this. Here's the tell-tale sign from tcpdump that the user information is in the clear. Obviously, I used a different username than my own here as obscuring my password was difficult:

10:29:56.656220 IP 10.3.2.124.43852 > 69.25.76.54.80: P 1:410(409) ack 1 win 64240 <nop,nop,timestamp 415368834 3930262309>
0x0000:  4500 01cd 747d 4000 4506 21e0 0a03 027c  E...t}@.E.!....|
0x0010:  4519 4c36 ab4c 0050 1c0c e369 bc2c c4f5  E.L6.L.P...i.,..
0x0020:  8018 faf0 2fba 0000 0101 080a 18c2 0682  ..../...........
0x0030:  ea43 0b25 4745 5420 2f73 6372 6970 742f  .C.%GET./script/
0x0040:  6765 745f 7265 675f 6b65 792e 706c 3f6e  get_reg_key.pl?n
0x0050:  616d 653d 696e 7365 6375 7265 2d75 7365  ame=insecure-use
0x0060:  7226 7061 7373 3d69 6e73 6563 7572 652d  r&pass=insecure-
0x0070:  7061 7373 776f 7264 2673 6964 3d77 6b53  password&sid=wkS
0x0080:  6870 4363 5933 3962 5426 6275 696c 643d  hpCcY39bT&build=
0x0090:  6953 6b6f 6f74 2d53 3630 2664 6576 6963  iSkoot-S60&devic
0x00a0:  653d 4e4f 4b49 412d 4e39 3526 6361 703d  e=NOKIA-N95&cap=
0x00b0:  6368 6174 3a32 2c70 7573 683a 3226 6e65  chat:2,push:2&ne
0x00c0:  7477 6f72 6b3d 736b 7970 6526 6c61 6e67  twork=skype&lang
0x00d0:  3d45 4e26 7665 7273 696f 6e3d 312e 312e  =EN&version=1.1.
0x00e0:  3539 2661 6374 3d31 2666 7764 6e62 723d  59&act=1&fwdnbr=
0x00f0:  2532 4231 3336 3039 3831 3634 3136 2666  %2B13609816416&f
0x0100:  6972 7374 7573 653d 3230 3038 2d30 342d  irstuse=2008-04-
0x0110:  3236 2d30 302d 3537 2673 6571 3d36 2663  26-00-57&seq=6&c
0x0120:  6c69 643d 556e 6176 6169 6c61 626c 6520  lid=Unavailable.
0x0130:  4854 5450 2f31 2e31 0d0a 486f 7374 3a20  HTTP/1.1..Host:.
0x0140:  6973 6b2d 626f 732d 6170 7031 2e69 736b  isk-bos-app1.isk
0x0150:  6f6f 742e 636f 6d0d 0a41 6363 6570 743a  oot.com..Accept:
0x0160:  2074 6578 742f 706c 6169 6e0d 0a55 7365  .text/plain..Use
0x0170:  722d 4167 656e 743a 2069 536b 6f6f 7420  r-Agent:.iSkoot.
0x0180:  5379 6d62 6961 6e0d 0a58 2d4e 6f6b 6961  Symbian..X-Nokia
0x0190:  2d4d 7573 6963 5368 6f70 2d56 6572 7369  -MusicShop-Versi
0x01a0:  6f6e 3a20 312e 302e 300d 0a58 2d4e 6f6b  on:.1.0.0..X-Nok
0x01b0:  6961 2d4d 7573 6963 5368 6f70 2d42 6561  ia-MusicShop-Bea
0x01c0:  7265 723a 2057 4c41 4e0d 0a0d 0a         rer:.WLAN....

I did some cursory looking around at the data stream again and saw that pretty much everything is being shuttled around in the clear.

For the sake of argument, I looked at a Skype Mobile session. The only piece of information I saw in the clear was some basic information about my handset. Nothing that wouldn't normally be disclosed when accessing a web site.

While it's true that iSkoot is disclosing stuff, let's put this into perspective for a moment. The only realistic way this could be "discovered" is someone gets into a router like I did and dump the traffic, which is possible, but not terribly. The other possibility is if you use iSkoot over WiFi. Someone within sniffing distance could easily pull the unencrypted information out of the air, assuming the WiFi access point was open or the WEP or WPA key was known.

That all being said, there's absolutely no excuse for not encrypting the information with SSL and using HTTP POST instead of HTTP GET.

Various people are thinking that Skype Mobile is basically an unbranded iSkoot, which does the same thing in much the same way. Generally speaking, they seem to do the same thing, but they do it very differently. Packet traces don't lie.

I loaded up iSkoot on my Nokia N95 and accessed the iSkoot service via WiFi. I did this so I could capture what the iSkoot client was sending out so I could see the difference. And oh, boy was it different--different enough that I would think twice about using iSkoot.

First of all, Skype appeared to use a TCP connection on a non-standard port. Fine with me. I looked at the raw packets generated by Skype Mobile and saw an opaque blob--exactly what I expected to see.

iSkoot uses TCP port 80--the same port used by HTTP, the lingua franca of downloading web pages. It sends various things as a series of HTTP GET calls. The scary part of this that your text chat messages--and lots of other interesting information, including your Skype credentials--is being transmitted in the clear. That's right, iSkoot takes all that perfectly good encryption that Skype employs and throws it out the window. For no good reason.

Until iSkoot fixes this problem--and it would be very easy for them to do so (ever hear of SSL?)--I cannot in good conscious recommend using iSkoot.

Update: Issue is resolved in their latest Symbian/S60 client.

Long, long-time followers will know my sordid history with Check Point FireWall-1 and various issues related to network security. I'm all too familiar with how companies can--and do--restrict their users. My employer is no exception. While they have loosened their stance on responsible use of certain applications over the years, one of the fundamental things about the network is that in order to get out to the Internet, you must go through an HTTP proxy.

Enter two new applications I've looked at recently; Yugma and Tungle. Yugma is like WebEx or GoToMeeting. Tungle allows you to more easily schedule meetings across corporate boundaries. Both are exceptionally useful applications.

My acid test for any application is the corporate network. If it can work in our corporate network, chances are, it will work anywhere. Skype is a wonderful example of an application that works everywhere--including on our corporate network. On one hand, I find it scary from a security standpoint, but as a user, I appreciate that it just works.

Some applications fail the HTTP Proxy test. SightSpeed--one of my favorite ways to video chat--simply won't work through the corporate firewall. You can blame SIP for not working through an HTTP proxy, which SightSpeed can't do much about.

Tungle is another one that fails the firewall test, particularly the part that synchronizes free/busy with the Tungle server so your friends can schedule a meeting with you. Other parts of Tungle will work just fine with a regular HTTP proxy. Furthermore, there's no way to even configure proxies into Tungle. The folks at Tungle are aware of these limitations and are addressing them.

Yugma, at least, seems to have some support for HTTP Proxy. It pops up a dialog box after spinning its wheels for a while, realizing it might need one. However, my experience is that I can't make session sharing to work in this configuration.

It's a challenge to work around all the various firewall issues. However, for large-scale corporate adoption of your product, this is a must.

Creative Commons License photo credit: roney