After finding a critical security hole that allowed cybercriminals to change the password of any Skype account, Vulnerability Lab researchers have identified another series of flaws in the popular messaging application.
Two of them are remotely-exploitable mail encoding web vulnerabilities that affect the Skype Community.
The first – a high-severity persistent input validation vulnerability bug – can allow a remote attacker to inject arbitrary code on the application-side of the Skype Community website.
“The vulnerability is located in the filter function of the username when Skype community is processing to send a not parsed update mail. Remote attacker with low privileged application user accounts can change the username values to malicious persistent script code via POST,” the advisory provided by Vulnerability Lab reads.
“The result in a persistent script code inject via email@example.com. Successful exploitation of the vulnerability result in persistent phishing attacks, persistent session hijacking or mail context manipulation via persistent inject.”
The second web problem identified by the researchers is a filter and mail encoding vulnerability that affects the same Skype Community website.
The security hole affects the outgoing email service and can be leveraged to execute persistent code against forum customers, administrators and moderators.
“The vulnerability is located in the not sanitized message body and title parameters when processing to load the bound vulnerable Problem Reporter or Send to Friends module,” the experts explained.
“The script code gets executed out of the message itself inside of the main mail template.”
The third flaw refers to a persistent software vulnerability that affects the Windows version of Skype v126.96.36.199. A local attacker could exploit this problem to manipulate configuration app login index files.
This allows cybercriminals to persistently execute malicious code in the main software’s context via the Skype API.
This high-severity issue can be addressed by disallowing bound requests out of the software’s context.
The mail encoding web vulnerabilities have been addressed by Skype, but according to the researchers, last time they checked, the persistent software issue was not fixed.
Tech savvy users can check out the proof-of-concept of the mail encoding web vulnerabilities here.