Thursday 22 September 2011

Skype for iOS Vulnerability Allows Attacker to Steal Address Book Just By Sending a Chat Message

A Cross-Site Scripting vulnerability has been found in the “Chat Message” window of Skype for iOS. The vulnerability can be exploited by simply sending a specially crafted chat message to a Skype user. Skype uses a locally stored HTML file to display chat messages from other users, however it doesn’t properly encode the incoming users “Full Name”. The result is that an attacker can create some  malicious JavaScript code that runs when the victim views the message.
Because of the way Skype uses the built-in webkit browser any Javascript run via the Chat Message exploit can access the local user file system. Access to files on iOS devices is restricted by the underlying operating system but every iOS application has access to the users AddressBook. This has allowed Phil Purviance to create a proof of concept injection and attack that downloads an user’s address book to a remote server just by sending a Skype Chat Message.
Phil told Skype about the almost a month ago and was told that an update would be released early this month.
Skype says it is aware of the security issue, and had issued the following statement:
“We are working hard to fix this reported issue in our next planned release which we hope to roll out imminently. In the meantime we always recommend people exercise caution in only accepting friend requests from people they know and practice common sense internet security as always.”
Phil also created a video showing the exploit in action: