Another Skype XSS Vulnerability

I haven’t seen too much about this in my regular news feeds but thought I would pass it along in case anyone missed it. Basically, a malicious user enters JavaScript into their profile’s mobile phone field. When one of their targets comes online, the code in that field is executed on their computer. For the attack to work the malicious user and the target have to be in each others’ address books. The good news is that if you are on a Mac and chose to stay back on the 2.8.x version for aesthetic reasons, you are safe. It only impacts the latest 5.3.x version on all platforms. Here’s the original story I came across.

via Geek.com

A review by security consultant Levent Kayan revealed a new cross-site scripting vulnerability in Skype that could allow a malicious user to remotely change another user’s password and hijack their computer. The user and the attacker have to be friends on Skype for the exploit to work, but if they are, Kayan noted that the process is easily repeatable.

Kayan reported his findings on his blog on Wednesday, notified Skype on Thursday, and says that he hasn’t gotten any sort of response from the company. Skype hasn’t issued a statement about the vulnerability either, but it’s likely they’re still looking into duplicating Kayan’s research, or figuring out how to approach the issue.

In order for the exploit to work, Kayan discovered, the attacker can insert JavaScript into the mobile phone field of their profile. Then, when one of their friends comes online and logs in to Skype, the code in that field is executed on the contact’s computer. Depending on the code used, the exploit makes the victim’s computer completely vulnerable and could allow an attacker complete access or control of the victim’s machine.

Continued here.

Update: I also found a video demonstrating this vulnerability by the guys over at Vulnerability-Lab.com. Here it is for your viewing pleasure.

No related posts.

Tags: geek, infosec, javascript, security, skype, vulnerability, xss