An Armenian hacker is claiming that Skype has failed to learn from prior security lessons, falling victim to a cross-site scripting (XSS) vulnerability similar to one it patched in May, which would allow users to redirect victims to unwanted websites or run arbitrary code.
The May vulnerability allowed users to fool the Mac client of Skype into running arbitrary code as the client didn't check, or sanitise, instant messages to ensure they were free of malicious code.
While Skype issued a low-priority patch at the time, a 28-year-old Armenian-based security engineer, Levent "noptrix" Kayan, claimed on Wednesday night that a similar XSS vulnerability existed elsewhere in Skype's software.
He said that the failure to sanitise certain user information or the output rendered in Skype clients could still allow code to be executed.
In particular, Kayan claimed that he could see remote users' session information, which he said a malicious user could utilise to masquerade as the remote user and make calls on their account.
He also said it could be used to take advantage of other holes, possibly allowing full control over the PC. Both of the latest versions of Windows and Mac clients are affected.
Kayan's proof of concept shows the dumping of session information.
(Credit: Levent Kayan)
He told ZDNet Australia: "An attacker would need to [submit] malicious code. The victim doesn't have to do anything. He will be attacked, when he just logs into his account."
Skype said the vulnerability was considered a minor issue and that it had developed a fix for it which would be deployed next week.
Skype's head of information security, Adrian Asher, said that in order to exploit this, a person would have to be a validated contact of yours and one of the most frequent people you are in contact with and was therefore very unlikely to cause any issues in the real world. Nevertheless, he said the vulnerability shouldn't have existed and it would be fixed.
Additionally, Skype said that the session information that Kayan had been able to access was in relation to the web session IDs and not Skype IDs, suggesting that the attacker couldn't make calls using the exploit. It did, however, concede that it was possible for a victim's contacts to redirect them to any website using the web browser built into the Skype client, but stressed that only validated contacts would be able to do so. In the meantime, it said users should not authorise people they do not know and/or do not want to talk to.
HackLabs director, Chris Gatford, said that it was common to come across these sorts of vulnerabilities in the work penetration testing of client systems his company does.
"I would suggest that 80 per cent, perhaps even 90 per cent of the time, cross-site scripting vulnerabilities are present," he said.
Gatford mentioned the previous XSS vulnerability in the Skype client and thought that it was surprising that Skype had not patched all of its input validation problems when it was previously brought to its attention.
"This would be a simple fix for them. To be honest, I'm kind of surprised they didn't learn their lesson the first time and extend the fix system-wide then."