Silly hackers are always trying to ruin the Internet and they have found yet another target in the form of popular VOIP software Skype. According to the sweetest text security report ever, linked from h-online’s recap:
“Skype suffers from a persistent Cross-Site Scripting vulnerability due to a lack
of input validation and output sanitization of the ‘mobile phone’ profile entry.
Other input fields may also be affected.”
I love that—output sanitization. Basically what this means is that an attacker can embed JavaScript in the mobile phone field of his or her profile description. Skype doesn’t filter this field which means this JavaScript can be executed when a contact of the attacker logs in. From there, all kinds of bad things can happen like account access or even system level access. According to Levent Kayan, the current version of Skype is affected (ver. 5.3.0.120 ) and Skype is aware of the issue and should have a patch available next week. Skype is downplaying the issue a bit noting that “the attacker must appear in the victim’s list of frequent contacts” in order to take advantage of the security issue.
What is the moral of the story? Until next week, remember that your mother-in-law overseas (with whom you Skype on a regular basis) can now compromise your system and bring you down! Beware!