14 DAY TRIAL // A cross-site scripting (XSS) vulnerability which allows allows attackers to hijack web sessions has been identified in Skype. A patch will be made available next week.
The XSS weakness was discovered by an Armenian hacker named Levent Kayan who notified Skype and made it public on his blog.
The vulnerability is located in the VoIP client's "mobile phone" profile entry and is the result of improper input validation into that field.
This is a so-called permanent or stored XSS flaw because attackers can insert rogue JavaScript into the field in order to generate a permanently modified page.
"An attacker could trivially hijack session IDs of remote users and leverage the vulnerability to increase the attack vector to the underlying software and operating system of the victim," Kayan wrote in his advisory.
According to ZDNet, Skype doesn't see the vulnerability as being a serious issue because there are limiting factors to a successful attack. Nevertheless, a patch is currently being worked on and will be deployed next week.
Skype explained that in order to exploit the vulnerability the attacker needs to be one of the victim's contacts with whom they most frequently interact.
Furthermore, the session information that can be obtained is not related to the Skype account on the client, but the website. This means attackers can't make calls in the name of the victims as it has been suggested.
"As you can imagine, someone who you deal with frequently is probably unlikely to take advantage of this bug anyways," Skype spokesperson Chaim Haas told Forbes. That is true unless the contact has had his account hijacked.
Earlier this year, an Australian security consultant identified an XSS vulnerability in the Skype chat input box which could be exploited to crash the victim's client.