Reddit user Ponkers posted an interesting find to /r/Android today, pointing out a significant privacy hole in Skype that essentially allows users to force an Android device to answer a call, making eavesdropping nearly effortless.

Ponkers drew a diagram below, which I feel compelled to include based on its artistic merits, but here's the gist of how the process works.

Assume you have three devices, device 1, device 2, and device 3. There are also two Skype accounts involved: account A and account B. Device 1 and device 3 are attached to account A. Device 2 is attached to account B.

If a user uses device 1 to call device 2, then shuts off any network connection to device 1, device 2 will then automatically call and connect to device 3, giving the holder of account A a connection to device 2 without the owner of the device necessarily knowing.

Illustration by Ponkers

Multiple Reddit users (and our own Artem) have apparently experienced this behavior, while at least one user reported that the behavior wasn't reliable. Skype's interface is of course up when the call connects for device 2, so it's likely that the user would notice, but this does seem like a fairly serious snafu.

Ostensibly, Skype thinks that the users want to be connected and that the lost network connection is a mistake, so it tries to fix the situation by reconnecting the two. Under normal circumstances, if both parties have willfully connected to a call, this kind of behavior would be welcome, as it would ensure that any interruptions in the conversation are minimal. The issue is that this can happen before the party receiving a call has accepted it. From what users have deduced so far, the bug seems to be specifically related to how Skype's Android app connects calls.

At the time of writing it's unclear whether Skype is aware of the issue, but we have reached out for comment. Hopefully Skype can clarify the situation - we'll update this post with any official word.

Source: Reddit