toggle

AAPL Stock: 105.22 ( + 0.39 )

Printed from http://www.macnn.com

Serious XSS vulnerability found in Skype for iOS

updated 07:25 pm EDT, Tue September 20, 2011

Users' address books could be copied

A security researcher going by "Phil P" and running the Superevr security blog has found a serious scripting vulnerability in the chat messaging feature of Skype versions 3.01 and earlier for the iPhone and iPod Touch that could execute malicious Javascript code without the user being fully aware, giving the attacker access to file contents of any file that the Skype app would have access to -- such as a user's address book.

The flaw comes as a result of the Skype program failing to properly encode the incoming users' "Full Name" field, which means Javascript code can easily be placed in that field instead. The victim still receives a message from the attacking user, but with the name replaced by the first characters of the code string.

This flaw alone would not by itself cause an issue except that Skype also improperly allows the URI scheme used by the built-in WebKit browser in Skype to use the "file://" URL header, gaining access to the file system under Skype's own permissions, which includes access to the iOS contact list. In the video below, Phil demonstrates the delivery of a Base-64 encoded JavaScript file (which is then decoded by the attacker's server) and run to copy the device's contact list back to the attacking server (in SQLite format).

Apple's built-in iOS application sandboxing prevents the attack from going anywhere beyond those files that Skype has access to. Skype on iOS is set by default to only allow existing contacts to chat with a user, which would largely prevent the possibility of such an attack being seen "in the wild"; but if the "established contacts only" feature is turned off, it opens up the possibility of random chatters executing a malicious JavaScript on iOS devices. As the attack is executed over http, a firewall or blocking ports would not prevent the attack.

This new vulnerability echoes a similar problem found in May by security researcher Guy Maddern, who discovered a way to execute a malicious payload in chat mode using Skype for Mac computers (version 5.x). The company at the time said the issue, which allowed attackers the chance at gaining full privileges for the compromised machine, had been discovered and fixed by the time reports appeared on it.





Attacking message is received using JS code in Full Name field





JavaScript attack executes





by MacNN Staff

toggle

Comments

  1. bitwrangler

    Joined: Dec 1969

    +3

    comment title

    That's the problem with any security, at some point you have to trust something (in this case Skypes access to your contacts) and that's where the vulnerabilities come in. Hopefully Skype will address the issue quickly.

  1. facebook_Collin

    Via Facebook

    Joined: Sep 2011

    -1

    This is what happens when...

    Micro$oft buys Skype.

Login Here

Not a member of the MacNN forums? Register now for free.

toggle

Network Headlines

toggle

Most Popular

MacNN Sponsor

Recent Reviews

Sound Blaster Roar Bluetooth speaker

There could very well be a new king of the hill for Bluetooth speakers, with Sound Blaster's recent entry into the marketplace. Bring ...

Kenu Airframe Plus

Simple, stylish and effective, the Kenu Airframe + portable car mount is the latest addition to Kenu's lineup. Released earlier this ...

Plantronics Rig Surround 7.1 headset

Trying to capture the true soundscape of video games can be a daunting task. Looking to surround-sound home theater options, users hav ...

toggle

Most Commented