Posted by Virus Bulletin on May 14, 2013
HEAD requests likely used to determine landing page.
Is Microsoft checking all the links you share via Skype? German online magazine Heise thinks so.
A reader of security magazine Heise discovered that all URLs sent via Skype chat received a request from an IP address that was registered with Microsoft (which bought Skype in 2011). Heise managed to verify this claim and found that even URLs that included (fake) login credentials and were sent over HTTPS received such requests.
When asked about this by Heise, a spokesperson for Skype pointed to its privacy policy, which states that automatic scanning may take place to detect spam sent over the service. The magazine says the facts speak against Skype, for the requests are HEAD requests, which only ask for the server to send the HTTP headers, as opposed to the common GET requests, which ask for the full web page and which would be needed to scan its content.
However, I have to side with Skype here. A problem with URLs - especially those used for malicious purposes - is that many of them redirect to another URL, usually on another domain. The common use of URL shorteners, as well as compromised websites, for this purpose means that checking a URL against a blacklist is not always an effective way to block malicious URLs. And that's what HEAD requests are used for: one or more of them can determine the landing page without the need to request the full web pages.
Of course, requesting the full pages would give Skype insight into the actual content of these pages, which would make it more effective at blocking spam. But doing so would also infringe the users' privacy - and thus I think they have made the correct decision here.
Sure, if you believe that mere knowledge of the existence of a URL would infringe your privacy (and there are certainly circumstances where this may be the case) this is a problem - but in such cases, sharing it using a third-party system is probably not a good idea in the first place. The inclusion of credentials in URLs, even if they are sent via HTTPS, is not common, and rather bad practice.
Heise's article can be found here (in German).
Posted on 14 May 2013 by Martijn Grooten