Botnets + VoIP services = trouble?

Researchers at Secure Science have discovered methods to make unauthorized calls from both Skype and the Google Voice services.  Add botnets for massive dialing and let the fun (not) begin. Google says it has patched the hole; Skype isn't commenting.

Secure Science was able to leverage an online service called SpoofCard to display a different caller ID and leveraged the fact that neither Google Voice or Skype require a password to access their voicemail systems. The Skype attack would require a victim to visit a website within 30 minutes of being logged into Skype, but once done an attacker could add a specific call forwarding number, grant an attacker ability to receive the victim's incoming calls, get a Skype-To-Go number, and the ability to access victim's a voicemail, speed dial, and outbound calling via spoofed Caller-ID (i.e. where SpoofCard comes in).

Within Google Voice, an attacker could even intercept or listen on incoming calls, using the Temporary Call Forwarding feature to add another number to an account, then using something like Asterisk to answer the call before a victim could hear a ring. An attacker would need to know the victim's phone number, but Secure has figured out a way to do this through Google's Voice SMS feature.

Google said it has patched the bugs enabling Secure Science's attack, and has added a password for its voice system. It also said that a lot of things would have to go right at the same time for Secure's technique to work.

A spokesperson for Secure Science says the Skype vulnerabilities have not yet been fixed and Skype parent eBay wasn't commenting.

For more:
- IDG News Service via PC World. Post.

Related articles
Skype responds to earlier security breach - FierceVoIP
A Skype Back Door? - FierceVoIP
Skype Wiretap Nuances - FierceVoIP