A security blog is signaling that the iOS Skype application is suffering from a Cross-Site Scripting vulnerability in the "Chat Message" window, effectively allowing an attacker to run malicious code and gain access to a user’s AddressBook.
The flaw exists in Skype 3.0.1 and earlier versions for iPhone and iPod touch players, according to Superevr. Apparently, the iPad-native version of the app remains unaffected.
The blog explains that Skype iOS uses a locally stored HTML file to display chat messages from others.
However, the method fails to properly encode the incoming user’s "Full Name," which results in a flaw that opens the door to “an attacker to craft malicious JavaScript code that runs when the victim views the message.”
“Executing arbitrary Javascript code is one thing, but I found that Skype also improperly defines the URI scheme used by the built-in webkit browser for Skype,” the author says.
Despite the fact that file system access is partially mitigated by the iOS Application sandbox implemented by Apple with the purpose of preventing access to certain data, “every iOS application has access to the users AddressBook, and Skype is no exception,” the blog outlines.
The author, who seems to be the first to have discovered this flaw, has created a proof-of-concept injection, as well as an actual simulation attack “[to show] that a users [sic] AddressBook can indeed be stolen from an iPhone or iPod touch with this vulnerability.”
A video demonstration of the hack can be found embedded below.
To be noted that it’s not Apple who needs to address this flaw, but Skype Software themselves. Expect an updated version of Skype for iPhone to arrive in the App Store soon.
Apple better prioritize its approval, should it want to keep iPhone users on the safe side.
We’d post the usual download link for Skype iOS, but since it’s not safe to use it just yet, we’ll wait until it gets updated.
I'm very concerned and looking forward to Skype 'mending' this soon. However from my experience I can doubt it, as Skype for Mac has a serious problem lasting few years.
Few years ago I noticed that my Skype chats go to people that I did not intend of sending them to. The people were on my contacts list, for example: I sent a chat message to person A while it went to person B! Believe me, I had many problems because of that!
I filed a ticket and sent to Skype. Got some advice like: restart Skype, reinstall it, do system restore and so on. Nothing worked and it's not fixed today.
I thought it was only me having these problems. But recently I found my family and friends are experiencing this on their Windows machines as well!
So although I use Skype because I have to, I'm very careful about what I type.
Find us on Google+
