Aug 23, 2011 13:57 GMT  ·  By

Skype disputes the severity of a new cross-site scripting vulnerability identified in its VoIP client and claims that it cannot be used to do more than change the appearance of text.

The vulnerability was discovered by an Armenian security researcher named Levent Kayan, aka noptrix, who recently identified similar flaws in instant messaging clients.

"Skype suffers from a persistent code injection vulnerability due to a lack of input validation and output sanitization of following profile entries: home, office, mobile," the researcher explains in his advisory.

An attacker can exploit the vulnerability to inject HTML or JavaScript code into a Skype profile with yet-to-be determined consequences. At the very least, at attacker could include a malicious link and encourage users to click on it.

Skype claims that the bug's impact is very limited and has little to no security implications. "We have had this reported to us by various media outlets and have confirmed that the person is mistaken, this is not a web window and while it does cause a phone number to be underlined, does nothing other than this" a spokeswoman said.

Kayan responded by stressing that any HTML tag can be inserted into the vulnerable profile fields, not only the one used to link text. He also points out that this vulnerability is located in the same field as another one that he reported to Skype back in July.

It appears that instead of fixing the previous flaw directly on the client by blocking HTML input in the profile fields, the company chose to sanitize the server output.

"Does it make sense to allow users to 'embed' HTML code in their Skype profile and especially in those 'phone number' fields?" the researcher asks. It seems not, because on Windows and Mac this is not possible. Only the Skype Linux client allows this functionality.

Photo Gallery (2 Images)

New cross-site scripting vulnerability identified in Skype
HTML injection into Skype profile fields
Open gallery