TechTheDay

Would you believe that a few characters in a text message are enough to mess with iPhones? As reported some days ago, there’s an iPhone bug that allows a simple text message to restart the phone and make it difficult to run the Messages app. Apple has already been made aware of the problem and it has already provided the necessary updates to address the problem.

Something similar is now happening to Skype. However, the characters involved are rather easier to type and remember. In the case of the iPhone bug, the characters (pictured above) are rarely used by most iPhone users – mostly non-Western characters (Arabic, Chinese, and Marathi). With the Skype text message bug, the offending set of characters is the relatively simple and easy-to-type “http://.” Yes, these are the letters and characters that prepend the URLs or web addresses of websites. HTTP is an acronym for Hypertext Transfer Protocol. While not many will be accidentally using “http://:” (take note of the colon after the second slash) when sharing URLs over Skype, those who intend to crash some other Skype user’s app can simply type these characters and send the message to an unwitting victim.

Devices and Operating Systems Affected

This Skype bug is reportedly affecting numerous devices that use the iOS, Android, and Windows operating systems. These include iPhones, iPads, the multitude of Android smartphones and tablets, the Lumia series of smartphones, and laptop and desktop computers that run Windows. Macs are said to be free from the effects of this bug.

As of this posting, Skype has already released an update for the app to address the problem. All Skype users (except those on Mac) are encouraged to update their apps to avoid encountering the frustrating problem.

Effects of the Bug

As reported by The Guardian, the Skype bug is capable of continuously crashing the app. Relaunching the app will not set things back to normal. Unlike the iPhone bug that only restarts the device and causes some inconveniences on the messaging app, the one on Skype appears to have a lingering effect. Apparently, the only way to address the problem is to uninstall and reinstall Skype. Techie observers believe that this happens because the Skype app, by default, automatically loads all previous messages or conversations from the most recent sessions. Hence, the offending eight-character text automatically gets reloaded and allowed to adversely affect the Skype application again. There are reports that clearing the chat history will not suffice as a solution since the chat history may be downloaded by the Skype app from the server and simply lead to another crash.

Possible Reason

In the iPhone bug, it is believed that the problem arises because of the way iOS is processing Unicode text to be displayed in the notification banner. The iPhone operating system is apparently struggling in displaying non-Western characters for the banner notifications, making iOS restart. The banner notification, by the way, is the notification displayed on the dropdown menu. When it comes to the Skype bug, Microsoft has not released any official answer as to how the simple and commonly used characters “http://:” are causing Skype to crash. However, PORT_1337, a Skype user on the Skype forums, analyzed the problem and guessed that the characters “http://:” are directing Skype to read from a protected memory space and the Windows kernel (or the equivalent on Android and iOS) stops the process, causing the app to crash.

Solutions: Upgrade or Downgrade

As mentioned, simply clearing the conversations history will not solve the problem. A reinstallation may temporarily solve the issue, but if the installer used is the same version of Skype, the problem will simply reemerge. The most logical solution is to upgrade to the latest version of the app released by Skype. There are reports, however, that downgrading to an older version of Skype (version 6.x) can also be a solution.

Implications

According to Chris Wysopal, the chief technology officer of code security company Veracode, this simple but highly inconveniencing problem shows a poor security testing process on the part of Skype. Wysopal says that inputting malformed URLs is a basic step in software quality assurance testing. As such, Skype’s developers must have been too careless to have not detected something wrong with the app upon the introduction of a simple erroneous URL prefix. However, this recently discovered Skype issue is not that serious of a concern in terms of privacy and security. Wysopal says that it is unlikely for the bug to be remotely exploitable. There is very little chance for an attacker to take over a device after downing the Skype app with the eight-character message. It is not comparable to the kind of threat the Superfish in Lenovo laptops poses.