httpvhd://www.youtube.com/watch?v=Ou_Iir2SklI&feature=player_embedded
If you’re a Skype user on the iPhone or iPod Touch, be warned: a new cross-site scripting vulnerability has been discovered in version 3.0.1 that allows attackers to execute malicious JavaScript code just by sending you a chat message.
The good news is that Skype is aware of the issue and is already rolling out an update that fixes the exploit.
The bad news? This exploit occurs when you simply view a chat message, which means that anyone who sends you an IM on Skype could easily slurp up your private information.
Security researcher Phil Purviance, who found the exploit, says:
Executing arbitrary Javascript code is one thing, but I found that Skype also improperly defines the URI scheme used by the built-in webkit browser for Skype. Usually you will see the scheme set to something like, “about:blank” or “skype-randomtoken”, but in this case it is actually set to “file://”. This gives an attacker access to the users file system, and an attacker can access any file that the application itself would be able to access.
File system access is partially mitigated by the iOS Application sandbox that Apple has implemented, preventing an attacker from accessing certain sensitive files. However, every iOS application has access to the users AddressBook, and Skype is no exception.
This seems like a good example of the classic exploit timeline: a dangerous exploit is discovered then reported to a company, which proceeds to do nothing about it until the person who found the exploit goes public, at which point, all of a sudden, they are able to issue a patch within twenty four hours.
Anyway, be careful on Skype for iOS for the next few days. Hopefully Skype will have this fixed soon.
John Brownlee is a writer for Fast Company, and a contributing writer here at CoM. He has also written for Wired, Playboy, Boing Boing, Popular Mechanics, VentureBeat, and Gizmodo. He lives in Boston with his wife and two parakeets. You can follow him here on Twitter.
26 responses to “Watch Out! If You’re Using Skype for iOS, You Can Be Hacked Just By Reading A Chat Message”
how nice
Oh Boy. I wonder if Skype will be responsive to iOS users given that it is owned by MS.
Does anyone know if this can happen when receiving a chat from a trusted or do you need to receive it from the hacker?
Exactly what I was concerned about when I found out MS bought Skype.
don’t be ridiculous… of course it’s going to patch it… the flaw isn’t in iOS it’s in the Skype software…
they are only making themselves look bad.
can be happening receiving chat from anyone, one contact of yours can do it just for fun… be careful
I did not say they were not going to fix it. Please read my comment. I said i “wonder” if they will be as responsive to iOS as they were before being purchased by Microsoft.
If you cannot read please refrain from posting.
Microsoft doesn’t hate Apple. In fact they earn million of dollars with their Office Suite for Mac.
Not sure MS own Skype yet. They announced “they were to buy it” subject to regulatory clearances, these take a few months to come in. Before these are finalized Skype will be an independent company.
When Microsoft bought Skype, I deleted it
Ok, that’s not iOS’s fault, right. But why didn’t Apple introduce a switch toggling right to access the Adress book as it did with position data and others ?
At least we could restrain access temporally, waiting for MS to patch…
Ask them to re-design the entire UI first. Then I will install it again and deal with this problem!
A user can prevent this from happening by changing a setting in their Skype app.
Go to your Skype preferences, click the Privacy tab, click “Only people in my Contact list” under “Allow chats from:”. Not sure if you can make this change in the iOS version, but once you do it on the desktop version the settings should port over to the iOS version as well. Please note this doesn’t protect you from friends, family, and people in your contact list, but you can just delete them if they aren’t trustworthy.