Follow us on RSS or Twitter for the latest updates.

July 19, 2011

Skype Promises to Fix Cross Site Scripting Bug


skype-bug
Skype has promised to fix a cross-site scripting flaw that exposes Windows users of VoIP technology to potential attack.

The flaw was discovered by independent security researcher Levent Kayan, who warned that a hacker might be able to enter a string of JavaScript code into the "mobile phone" field. This would enable a hacker – provided he or she could trick a victim into adding them as a contact – to either compromise the user's Skype account or to load malware onto the user's PC. Skype said that the bug is not very serious, but nonetheless promised an update by the end of the week.

The server-side bug created a possible mechanism for miscreants to redirect Skype users to potentially malicious websites, providing they successfully tricked users into adding them as a contact, as the VoIP outfit explains in an update to its official security blog.

Skype for Windows is not correctly validating some fields of your contacts' profiles. What this means is if one of your Skype contacts has put some specific strings into their profile, it could result in your Skype Home area being redirected to another web page or a message being displayed.

In order for someone to cause these messages to be popped up or to redirect you to a website, they would first have to be one of your accepted Skype contacts. However, this vulnerability should not be there and there is a fix, which we are finalising testing of, that is due to be pushed out early next week.
Cross Site Scripting (XSS) flaws, in general, can be used to present content or pop-ups from potentially hostile websites as if the content had originated from other domains. The class of vulnerability is sometimes used as an adjunct to more highly evolved and subtle phishing scams.

Skype said the necessary fix will be applied without troubling its users with software updates, indicating the bug can be resolved by an update to backend systems alone.