A cross-site scripting vulnerability has been reported in the Skype application for iOS devices like iPod Touch and iPhones. According to security researcher Phil Purviance of AppSec, the vulnerability exists in the Chat message window of the Skype app. It may give an attacker access to the user’s address book and other sensitive data.
According to Purviance’s blog-post, Skype uses a local HTML file to display chat messages from people on the user’s Skype list. However, the Skype app fails to properly encode the incoming users’ full names. This can be exploited by attackers using a specially crafted Javascript code, which executes when users view the message.
The researcher writes that in addition to allowing execution of arbitrary Javascript, the URL scheme in Skype’s built-in WebKit browser is also defined improperly. It may give an attacker access to the user’s local file system, and any other files that the Skype app may have access to.
While the file-system threat is partially mitigated by iOS’ application sandboxing, sensitive data like the AddressBook that every iOS application has access to, can be accessed by exploiting this flaw. The flaw affects Skype app versions 3.0.1 and earlier for the iOS.
Puviance writes that he informed Skype about this vulnerability last month, and expects that Skype will release a patch as part of its next planned update. The researcher has also posted a proof-of-concept video demonstrating
Requires Membership to View
To gain access to this and all member only content, please provide the following information:
By submitting your registration information to searchSecurity.in you agree to receive email communications from the TechTarget network of sites, and/or third party content providers that have relationships with TechTarget, based on your topic interests and activity, including updates on new content, event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile, unsubscribing via email or by contacting us here
- Your use of searchSecurity.in is governed by our Terms of Use
- We designed our Privacy Policy to provide you with important disclosures about how we collect and use your registration and other information. We encourage you to read the Privacy Policy, and to use it to help make informed decisions.
- If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States.
the veracity of this exploit.