

The demonstration merely opens a window but it could equally well silently send data to an attacker

Source: Levent Kayan Popular VoIP software Skype contains a security issue which could enable an attacker to gain access to a contact's account. In a security advisory, Levent Kayan, who discovered the vulnerability, reports that in some cases it could even allow access to the user's system.

The problem revolves around a persistent cross-site scripting vulnerability. An attacker can embed JavaScript in the mobile phone field of his or her profile description. Skype fails to adequately filter this field which means that if one of the attacker's contacts logs into Skype, the embedded JavaScript can be executed automatically without further user intervention. An attacker could exploit this to retrieve the session cookie, for example.



The XSS problem was recreated by heise Security According to Kayan, Skype 5.3.0.120 (the current version) and earlier for Windows and Mac are affected. The Linux version is not affected. The H's associates at heise Security in Germany were able to reproduce the problem in version 5.3.0.120 under Windows 7 and Windows XP, although in some cases more than ten logons were required before the problem manifested itself – why this should be the case is unclear. Kayan reports that he has informed the vendor. No patch is available at present.

Update – Skype has now confirmed it is aware of the hole and has already developed a patch to be published within the next week. Skype provides a plausible explanation as to why the problem isn't immediately reproducible: to take advantage of it, the attacker must appear in the victim's list of frequent contacts. Skype classifies the issue as a lesser problem because an attacker is allegedly only able to display messages through Skype or redirect pages.

(djwm)