This extension is one of the most popular Chrome extensions, with around 9 million users to date, Palant said. It was designed as an aid for the Skype app, which would add buttons to apps to create a Skype conversation. Palant found that the extension was largely unmaintained for the past four years and its functionality was completely broken while allowing “every website to trivially learn your identity” — which affects essentially all Microsoft services, including the Office 365 suite and Outlook.
A Useless But Dangerous Extension
Palant found that the Skype-for-Chrome extension was useless and “reduced to a bookmark for Skype for Web.” Yet, the forgotten extension remained a security and privacy risk in that it would leak a user’s identity. “One piece of functionality still working in the Skype extension was keeping track of your identity” Palant remarked. The extension would track whether a user is logged into a Microsoft account such as skype.com, outlook.com “or any other Microsoft website,” after which it would request a function that incorrectly communicated user identifiers directly to the website, instead of its own storage. This flaw meant that Skype usernames and profile images could be retrieved via the Skype name. This was “available to each and every website you visit” because the extension would run its content scripts everywhere.
Obsolete Integrations
The problem was that the Skype extension was still integrated with Gmail, Google Calendar, Google Inbox (which shut down in 2019), Outlook, and Twitter. “[Except that] these websites evolved, and these days the extension could only somewhat add its button on Gmail” Palant added. “Then a malicious page merely needs to have the right elements and the Skype extension will inject its button” Palant outlined. Due to this, a website could have been used to spam a user. However, this particular piece of problematic code was closed in mid-2021 by Microsoft when they shut down “api.scheduler.skype.com” — meaning that the extension stopped leaking information directly to websites.
Microsoft Lazily Tidied Up Code
Palant disclosed the issues to Microsoft’s MSRC Researcher Portal on December 1st, 2021. A year later Microsoft was still “reviewing” the issue, after which Palant prodded Microsoft again for a response. Only after asking others for help via Twitter and Mastodon did Palant manage to get someone’s attention at Microsoft’s PR department regarding the issue, in early February 2022, he said. Consequently, Palant’s PoC (Proof-of-Concept) was accessed for the first time on February 25th, 2022 by a relevant Microsoft department. Now “all the problematic code is completely gone” and the extension has no content scripts at all. “All functionality is now located in the extension’s pop-up” — a new functionality, making it a completely different product. The extension’s web page still reads “Read a good article? Now you can share a site directly with your Skype contacts,” which means Microsoft has not bothered to update it. The “Get Skype extension for Firefox” link is still present and leads to nowhere, Palant said. Third-party Chrome browser extensions have been known to bring about a host of security and privacy issues. For optimal security and privacy, check out our article about the most private and secure browser extensions.
