XSS vulnerability in Skype
Skype’s popular VoIP program contains a vulnerability that could allow an attacker to gain access to an account. Levent Kayan, who found the vulnerability, in his review indicated that in some cases it is possible to gain access to the user's system.
The attacker can inject javascript into the mobile phone field or the "about yourself" field. These fields are not sufficiently filtered, and when someone from the contact list of the attacker enters Skype, the embedded code is automatically executed.
XSS vulnerability is contained in the version of Skype 5.3.0.120 and earlier, running Windows and Mac, and is not always reproduced. Linux version is not affected. At the moment, the fix did not work.
')
Skype developers confirmed the vulnerability and promised to release a fix in the next week. They also explained why the vulnerability is not always reproduced: for this it is necessary that the attacker be in the list of popular contacts. They also classified the problem as not very significant, since the attacker can only show a message or redirect to another page.
A source
The attacker can inject javascript into the mobile phone field or the "about yourself" field. These fields are not sufficiently filtered, and when someone from the contact list of the attacker enters Skype, the embedded code is automatically executed.
XSS vulnerability is contained in the version of Skype 5.3.0.120 and earlier, running Windows and Mac, and is not always reproduced. Linux version is not affected. At the moment, the fix did not work.
')
Skype developers confirmed the vulnerability and promised to release a fix in the next week. They also explained why the vulnerability is not always reproduced: for this it is necessary that the attacker be in the list of popular contacts. They also classified the problem as not very significant, since the attacker can only show a message or redirect to another page.
A source
Source: https://habr.com/ru/post/124267/
All Articles