12

I usually have Skype running in the background. If you have ever used Skype before, you probably know it has advertisements. One of these advertisements made two windows pop up on my screen, asking to download a file. Windows caught it though (for once...). This made me wonder, how could an ad on Skype make windows pop up?

Notice in the first picture, it's a .js file. Does Skype allow Javascript to be run on my computer through ads? If so, what can be done? Can an attacker access my files, or track my keystrokes? Is there an exploit in Skype that hasn't been patched yet?

first image

enter image description here

Greg M
  • 245
  • 1
  • 8

2 Answers2

9

It seems to me that Skype is using the areyouahuman.com ad tech to only deliver their ads to "humans".

Why it wants to download the file? If you see at "Type" it says: Undecided. Which could be a bug in the areyouahuman server which failed to set the content-type header. In the case of browsers, they normally display the "download file" pop-up when the type is not recognized (similar to what happened to you).

It can be that Skype is using an embedded browser instance to execute the banners. I don't know it that is true, but that seems to be the case.

Does it pose a security risk? I'm sure it is. If Skype is rolling their ads allowing Javascript, someone could potentially inject malicious code into them.

How bad can it get if that happens? If what I stated before is true, my guess is that it can get as worst as any browser vulnerability.

Better to contact Microsoft and report that bug.

lepe
  • 2,184
  • 2
  • 15
  • 29
  • 1
    Is there a way to block these? – Motivated Apr 22 '16 at 06:29
  • 2
    @Motivated: Does this works? http://www.cnet.com/how-to/how-to-disable-ads-in-skype/ . I use Linux, so no ads here :) – lepe Apr 22 '16 at 06:32
  • 2
    @Motivated: I found this thread: http://superuser.com/questions/547807/how-to-disable-the-skype-ads-advertisement with plenty of alternatives. I hope it helps. – lepe Apr 22 '16 at 06:36
1

Even if Skype can run JavaScript, it's not necessarily the end of the world. I agree it is bad, as it greatly increases functionality ads can access. But don't forget there is the https://en.m.wikipedia.org/wiki/Same-origin_policy thing going on. So saying "because someone can execute JavaScript on your client means you are completely owned" is like saying don't ever browse the web with js turned on*.

  • I actually try not to but for other reasons.
user_al
  • 72
  • 2