14 DAY TRIAL // A critical cross-site scripting (XSS) vulnerability which facilitates account hijacking has been identified in the latest variant of the popular Skype VoIP client.
It appears the vulnerability was introduced along with the application's Facebook integration which has been available from version 5.3. Skype is now at version 5.5.
The Facebook integration allows Skype users to see the activity of their Facebook friends directly from the client and even post messages on their walls.
However, security researcher David Vieira-Kurz discovered that the status comment field does not properly sanitize input and executes JavaScript code.
An attacker can exploit this vulnerability to post a comment that executes rogue code which steals a visitor's Skype session cookie when they view it in the browser.
The session ID allows hijacking the account and this vulnerability can be exploited even if the attacker is not among the user's Skype or Facebook contacts.
According to H Security, Skype has been notified of this vulnerability and is working on a fix. Until then users are advised not to visit the public profiles or people they don't know.
This report comes after two weeks ago a cross-site scripting vulnerability with a similar effect was identified in the popular VoIP client.
However, the impact of that XSS flaw was limited by the fact that the attacker had to be in the victim's contact list and that the session hijacking only affected the web account, not the one on the client.
Back in April, another critical vulnerability was discovered in Skype's chat input field. Simply sending a malformed message to a user caused their client to crash and gave the attacker a remote shell on their computer.
Earlier this week a similar XSS flaw was identified in popular IM application ICQ. Since such applications are integrating more and more web technologies, the number of cross-site scripting vulnerabilities discovered in them is likely to increase.