httpvhd://www.youtube.com/watch?v=Ou_Iir2SklI&feature=player_embedded
If you’re a Skype user on the iPhone or iPod Touch, be warned: a new cross-site scripting vulnerability has been discovered in version 3.0.1 that allows attackers to execute malicious JavaScript code just by sending you a chat message.
The good news is that Skype is aware of the issue and is already rolling out an update that fixes the exploit.
The bad news? This exploit occurs when you simply view a chat message, which means that anyone who sends you an IM on Skype could easily slurp up your private information.
Security researcher Phil Purviance, who found the exploit, says:
Executing arbitrary Javascript code is one thing, but I found that Skype also improperly defines the URI scheme used by the built-in webkit browser for Skype. Usually you will see the scheme set to something like, “about:blank” or “skype-randomtoken”, but in this case it is actually set to “file://”. This gives an attacker access to the users file system, and an attacker can access any file that the application itself would be able to access.
File system access is partially mitigated by the iOS Application sandbox that Apple has implemented, preventing an attacker from accessing certain sensitive files. However, every iOS application has access to the users AddressBook, and Skype is no exception.
This seems like a good example of the classic exploit timeline: a dangerous exploit is discovered then reported to a company, which proceeds to do nothing about it until the person who found the exploit goes public, at which point, all of a sudden, they are able to issue a patch within twenty four hours.
Anyway, be careful on Skype for iOS for the next few days. Hopefully Skype will have this fixed soon.
