You thought using Skype was secure?

Many of us send sensitive information over Skype chat in order to prevent a third party from reading it. Think login credentials for example. What you may not know is that Skype is set by default to store chat history on your hard disk. Nothing wrong with it if it weren’t in plain text!

All right, it’s not exactly plain text, it’s SQLite but that’s no obstacle for a tech savvy person. Even keyboard shy people can download a plug-in for their favourite file manager (plugins here: FAR Manager / Total Commander). But even without a SQLite browser, you can see bits and pieces of your messages. Just open the file with any text editor. Don’t take my word for it, have a look yourself (path is for Windows 7):

C:\Users\<your Windows user name>\AppData\Roaming\Skype\<your Skype user name>\main.db

If using SQLite browser, look for table Messages. You’ll find all your private messages that you’ve sent or received in the past on this computer. All it takes for someone to see them is to sit at your keyboard when it’s not locked. Or send a virus. Also, realize that the recipient of your messages has his or her copy as well.

Now that I have your attention, here comes even worse news. You can’t simply purge your history. Don’t let yourself be fooled by that sweet looking button in your Skype settings. It just doesn’t work properly. I assume it’s because the records are only marked as deleted, not physically removed from the file.

You have to physically remove the file (wiping it, if you’re extra concerned) which unfortunately also removes all of your cached profile information. You will loose groups assignment, real names of people who haven’t logged in recently, your picture profile… Don’t ask me why when this information is also stored on the server. It just happened to me. Good luck with convincing your friends or company partners to do this in order to purge your messages.

I continue to send sensitive information over Skype, I just don’t store it in the history now. Luckily, I don’t need to worry about Skype company monitoring the traffic because I’m not an interesting target. But that’s a different story ;-)

2 Responses to “You thought using Skype was secure?”

  1. Schmutzka says:

    It works! :) Very nice, this could be an issue in github ;).
    I see one advantage for user itself – if I delete some user, I usually loose history with him (afaik). It is accessible in memoriam via this.

    Spread the word, “great” finding :).
    (Made me download SQLite browser. Don’t you have quick howto for Adminer? Thx.)

  2. Haven’t thought of using Adminer, good idea! It’s not difficult either if you already have Apache/PHP running on the same computer as Skype (I know you do):
    – upload Adminer to your web root and open it in your browser
    – switch “System” to “SQLite 3”
    – paste path to your main.db file (see above in this article) into “Database”
    – click Login

    It’s fun to browse the database. You can use Adminer to easily export your Skype contacts, for instance.

Leave a Reply