While the Internet gets a reputation for being an anonymous playground, nothing is completely anonymous. Microsoft seems to be proving that point today, with the discovery they're accessing any secured links sent via Skype. Any HTTPS URL transmitted via Skype is picked up by the software giant, and then visited by an IP address from Redmond.
This was first picked up by an anonymous tipster, who informed Heise Security since it bore similarity to a replay attack. Somewhat ironically, Microsoft themselves explain what a replay attack is. In a nutshell, it's repeated legitimate traffic, which is then treated as such.
Heise was able to confirm the tipster's suspicions, using two test URLs to do so. They sent a URL containing login information, and one pointing to a cloud-based service. Both URLs were later revisited by a Redmond IP address, so it was no isolated incident.
You may wonder how this can be justified. It's in Skype's data protection policy, and is for 'preventing spam, fraud or phishing links'.
This bit in the policy has Microsoft covered.
You may remember the open letter which was published after Microsoft's Skype takeover. It queried how the giant would act with US government requests, and whether they would invade user privacy.
Whether you consider this revelation with secured web links an invasion or not, it'll doubtless have some effect.
Source: Heise Security
37 Comments - Add comment