XSS to Skype for iOS

If you are using the iOS version of Skype on your iPhone or iPod Touch, be careful: a cross-site scripting vulnerability has been discovered in the Chat Message window of Skype version 3.0.1 and earlier.

The hole allows attackers to execute malicious JavaScript code, which is executed when the victim views the chat message. This vulnerability allows theft of information, such as the user's address book (see video under the cat).

Skype claims to be aware of the problem in security, and stated the following:
')

“We are working hard to fix this problem in our next release, which we hope to release soon. At the same time, we, as always, recommend people to be careful and accept requests from people they know, and also not to forget about the elementary rules of safety on the Internet. ”

The first sentence would be enough, dear Skype.

Security researcher Phil Purviance from AppSec Consulting writes:

Running arbitrary javascript code is not very nice, but I found that Skype also doesn’t work properly with a URI. Usually you will see a URL similar to something like “about: blank” or “skype-randomtoken”, but in this case we see “file: //”. This gives the attacker access to the user's file system, and he can access any file to which the application itself has access.
Access to the file system is partly controlled by the IOS sandbox implemented by Apple, not giving the attacker access to important files. However, every iOS application has access to users' AddressBook, and Skype is no exception.

In his Twitter, Phil says that he reported on this Skype XSS vulnerability almost a month ago.



Hopefully, an update should be expected soon, and media coverage will contribute to this.