iSkoot Pulls S60 Build, Plans To Push Fix 30 April 2008
Image via Wikipedia
While it was, admittedly, not very nice of me to hand iSkoot a zero-day exploit publicly, on a weekend no less, there was a note on the iSkoot blog today explaining what happened and giving me credit for finding it. I realized my mistake shortly after I made the story public. And to be honest, I should know better, given that I work for a vendor and actually deal with security issues.
There is an ongoing debate among security researches on the subject of full disclosure versus responsible disclosure. Now having fully experienced both sides of the issue, I was conflicted over the weekend. Did I do the right thing in disclosing this publicly before talking to iSkoot about it?
On one hand, spreading the information publicly without going to the vendor first gives end users a heads up that they are at risk. On the other hand, the bad guys now know that this problem exists and can start looking for ways to exploit. But how do we know they didn’t already know about this and weren’t already using this information for their own personal gain?
On the other hand, had I held onto the information and talked with the vendor first, people wouldn’t have panicked unnecessarily and hackers wouldn’t have had access to the information needlessly. Of course, then it’s possible the time to resolution could have taken longer than it did, putting people’s Skype sessions needlessly at risk.
I don’t think there’s a “right” answer to this, personally, as even minds smarter than me can’t agree on this topic. I think everyone involved understood my intentions were good, even though some could argue I should have done this differently. In the future, if I run into another zero-day exploit, I hope to keep this experience in mind.
iSkoot claims they’ll have a new version out and pushed to users by Wednesday. Looking forward to seeing it for myself and verifying that I see SSL in those packet traces. 
Bookmark with: del.icio.us Digg it Furl iFeedReaders ma.gnolia Maple.nu RawSugar reddit Simpy StumbleUpon
Related Posts:
- iSkoot for S60 Upgraded: Obscured by SSL
- iSkoot Will Fix The Encryption Issue On Nokia S60 Client
- Proof of iSkoot Passing Credentials In The Clear
- iSkoot Transmits Your Data In The Clear
- PhoneBoy’s Week That Was 11 May 2008
Comment by Matthew Stevens
I think you are right to disclose the security risk. There was no way to know if iSkoot would care or not, many application developers could have cared less whether or not such security risks exist. Exposing such risks either gives the developers a kick in the butt to fix it or warns users they are taking a risk, either way we all benefit. Many security risks have been discovered in Windows and are often widely publicized even sensationalized by the media. The benefits outweigh the risk in this case
Comment by Markus Göbel's Tech News Comments
You are well known now even in Germany:
Mit der Handy-Software iSkoot für S60 lässt sich das Skype-Passwort stehlen
http://www.areamobile.de/news/9108.html
Pingback by Skype Journal
Pingback by Skype Journal
Pingback by Skype Journal: Archives
Pingback by VOIP IP Telephony
Pingback by iSkoot SSL Problem, Disclosure Of Skype User Names And Passwords, Has Been Fixed. | VoIP MoVoIP Blog
[...] J2ME, Windows Mobile, etc. were not affected. So go ahead and use them. We all got to thank phoneboy for his work! unlike other people who look at it in a different light. Then again kudos for iSkoot [...]
Pingback by 2008 April | iSkoot Blog