14 DAY TRIAL // A security blog is signaling that the iOS Skype application is suffering from a Cross-Site Scripting vulnerability in the "Chat Message" window, effectively allowing an attacker to run malicious code and gain access to a user’s AddressBook.
The flaw exists in Skype 3.0.1 and earlier versions for iPhone and iPod touch players, according to Superevr. Apparently, the iPad-native version of the app remains unaffected.
The blog explains that Skype iOS uses a locally stored HTML file to display chat messages from others.
However, the method fails to properly encode the incoming user’s "Full Name," which results in a flaw that opens the door to “an attacker to craft malicious JavaScript code that runs when the victim views the message.”
“Executing arbitrary Javascript code is one thing, but I found that Skype also improperly defines the URI scheme used by the built-in webkit browser for Skype,” the author says.
Despite the fact that file system access is partially mitigated by the iOS Application sandbox implemented by Apple with the purpose of preventing access to certain data, “every iOS application has access to the users AddressBook, and Skype is no exception,” the blog outlines.
The author, who seems to be the first to have discovered this flaw, has created a proof-of-concept injection, as well as an actual simulation attack “[to show] that a users [sic] AddressBook can indeed be stolen from an iPhone or iPod touch with this vulnerability.”
A video demonstration of the hack can be found embedded below.
To be noted that it’s not Apple who needs to address this flaw, but Skype Software themselves. Expect an updated version of Skype for iPhone to arrive in the App Store soon.
Apple better prioritize its approval, should it want to keep iPhone users on the safe side.
We’d post the usual download link for Skype iOS, but since it’s not safe to use it just yet, we’ll wait until it gets updated.