Hack90.Manage Add-On Access Control

Previous page
Table of content
Next page

Hack 90. Manage Add-On Access Control

For security purposes, Skype restricts add-ons from accessing its API. This hack will help you understand and manage how your add-ons use Skype.

Works with: Windows, Linux, and Mac OS X versions of Skype.

Skype's API is a powerful tool for extending Skype's functionality and using its services. However, like any tool, it can be misused. To protect itself from malicious add-ons that might use the API, Skype provides some access control tools.

11.6.1. Understand Add-On Access Control

To manage intelligently how add-ons can access Skype, first you need to understand how Skype has implemented access control on the three platforms that support its API. The first thing to realize is that Skype controls add-on access at the Skype user level and not at the installation level. Put another way, the access control list is maintained in config.xml (user) rather than shared.xml (all users), so each Skype user must manage their own access control for add-ons.

11.6.1.1. Windows and Mac OS X.

When an add-on tries to access the Skype API, Skype makes a digital signature of the file that was run and is requesting access. For example, when you run a VBScript, the add-on that is really making the request is WScript.exe (or perhaps CScript.exe, depending on how you are running the script). And if you give it permission to access Skype, a digital signature will be placed in config.xml for the Skype user currently logged on, as this fragment from config.xml illustrates:

 … <UI>    <AccessControlList>       <Client1>          <Key1>073d4fafd04afde1b9cf9441a997d7cc27e43f2127                e0f5b60a675a765dde6e27</Key1>          <Key2>4af2cb52c5af3c568856af89f2e4cdb0</Key2>          <Key3>65804</Key3>          <Path>C:\Program Files\rapidSoft\rapidSoft.exe</Path>       </Client1>       <Client2>          <Key1>8a85438e06e61ea46f989d478f9bb32b89279                39f974d95796efcb5e554fb9267</Key1>          <Key2>77ab71633cc6db19bb3366ea02ea491a</Key2>          <Key3>263922</Key3>          <Path>C:\Program Files\Skype Onlinestatus Indicator 2                  \SkypeStatusClientTCP.exe</Path>          </Client2>       <Client3>          <Key1>76eb3dfca1281c8cb30e2006baa678322223                 195d9282a564f4d0aa01425bf281</Key1>          <Key2>bf54f856b92589ad2d8c707f3e41c903</Key2>          <Key3>460168</Key3>          <Path>C:\WINDOWS\System32\WScript.exe</Path>       </Client3>    </AccessControlList> …

By putting a digital signature in config.xml, even if an application with exactly the same name and file pathfor example, a malicious version of WScript.exeis run, Skype can tell the difference and block it.

That's all well and good for regular .exe files that are add-ons, but what it also means is that once you've given WScript.exe access to the Skype API, all scriptsyours and anyone else'scan and will run without any complaint from Skype. So, you may want to exercise a good deal of caution when giving permission to scripts and the engines that run them.

11.6.1.2. Linux.

On Linux, there is no real access control; what's implemented (at least as of version 1.2.0.11_API) is an illusion. In part, this is not Skype's fault, as it's not possible to make digital signatures and the like with D-BUS (Skype's API message-passing layer on Linux) in between the add-on and Skype.

When an add-on sends the command NAME AddonName to Skype via the API protocol, Skype dutifully pops up a dialog like that shown in Figure 11-14. If you give the add-on permission to access Skype, an entry is placed in the config.xml file for the Skype user currently logged on, as illustrated by the following config.xml fragment. However, any executable add-on or script that sends the same AddonName as another add-on that has already been given access will likewise be granted access. By understanding this security loophole, you can better decide whether to give add-ons access to Skype.

 … <UI>    <API>       <Authorizations>          SkypeApiPythonTestClient;;;SkypeApiLogger       </Authorizations>    </API> …

11.6.2. Manage Add-On Access Control

When an add-on first tries to access Skype via its API, Skype will ask you to give it explicit permission to do so (see Figure 11-14).

Figure 11-14. Initial permission dialog for add-on access to the Skype API


How you manage add-on access control after granting initial access then depends on the platform.

11.6.2.1. Windows.

Once an add-on has been given permission to use the Skype API (the "Allow this program to use Skype" radio button should be clicked; see Figure 11-14), add-on access control is thereafter managed through a different dialog (see Figure 11-15). To access the dialog, select Skype Tools Options … Privacy, and then click on the "Manage other programs access to Skype" link).

The small double arrows in Figure 11-15 mean that that particular add-on is currently connected to Skype. Absence of these double arrows means that an add-on is under access control, but is dormant at present.

Selecting an add-on from Figure 11-15 and clicking on the Change button will open another dialog, shown in Figure 11-16, which will enable you to revoke or otherwise control the access for add-ons whose existence is already known by Skype.

11.6.2.2. Linux and Mac OS X.

As of Skype version 1.2.0.11_API on Linux and 1.3.0.8 on Mac OS X, there is no dialog available through Skype's GUI to manage add-on access to the Skype API. To revoke access for an add-on, you must delete its entry in config.xml.

Figure 11-15. Dialog to manage add-on access to Skype's API


Figure 11-16. Dialog to control future access of add-ons for which you have already given permission to use Skype


To delete an entry from config.xml you must first stop Skype from running, delete the entry from the config.xml file, and then restart Skype. Otherwise, your changes won't take effect.

On Linux, to revoke access to an add-on, you need only delete the name of the add-on from the access control list, as shown in the following config.xml fragment:

 … <UI>    <API>       <Authorizations>                    SkypeApiPythonTestClient;;;SkypeApiLogger       </Authorizations>    </API> …

On Mac OS X, the following config.xml fragment includes the access control entry for an add-on called My Skype API Tester. To revoke access to the Skype API for this add-on you will need to delete the add-on's entry (that is, delete everything between and including the <My.20Skype.20API.20Tester> and </My.20Skype.20API.20Tester> tags). If this add-on subsequently requests access to Skype, you will again be prompted to give it permission to do so.

 … <API>    <List>       <AppleScript>          <Data1>2ACF364D256828FF6BF3680252A88880</Data1>          <Data2>627722115D344BE8518653A885370FCF</Data2>       </AppleScript>              <My.20Skype.20API.20Tester>          <Data1>39C7FB01F02DFF491174E05063DEF5F8FA20ACEE5B85F0                 29ABB220005CFBE667</Data1>          <Data2>627722115D344BE8518653A885370FCF</Data2>       </My.20Skype.20API.20Tester>    </List> </API> …



Previous page
Table of content
Next page
Skype Hacks
Skype Hacks: Tips & Tools for Cheap, Fun, Innovative Phone Service
ISBN: 0596101899
EAN: 2147483647
Year: 2005
Pages: 168
Authors: Andrew Sheppard
BUY ON AMAZON
Cisco IP Communications Express: CallManager Express with Cisco Unity Express
A Practitioners Guide to Software Test Design
Logistics and Retail Management: Emerging Issues and New Challenges in the Retail Supply Chain
After Effects and Photoshop: Animation and Production Effects for DV and Film, Second Edition
Lean Six Sigma for Service : How to Use Lean Speed and Six Sigma Quality to Improve Services and Transactions
MPLS Configuration on Cisco IOS Software
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy