Skype "mood feature" security vulnerability reported

From Vinius, Lithuania, Internet security expert Miroslav Lu?inskij blogs about what sounds like a security bug in a Skype partner feature related to the danger of executing "malicious script content" through the "mood feature" option available as part of a video selection option tied to that mood.

youtubeskypevul.jpg

From Vinius, Lithuania, Internet security expert Miroslav Lu?inskij blogs about what sounds like a security bug in a Skype partner feature related to the danger of executing "malicious script content" through the "mood feature" option available as part of a video selection option tied to that mood.

That grainy grab at the top of this post is grainy because it is a freezeframe (whatever happened to J Geils Band anyway?) screencap of a YouTube video depicting these circumstances and consequences.

Larry has more here, along with a clearer pic:

skype1.png

Now back to Miroslav, who first reported this. You have the floor now.

Take it away, Miroslav:

Skype has a feature, which allows user to insert a video into his mood - video selection is done through skype partners and is based on regular WEB functionality. So this feature practically inherits WEB's problems - in this particular case it's XSS attacks. In fact, Skype security is now dependant on their partners website security as no additional measures are taken to filter possible malicious content, that may come from the partners - dailymotion and metacafe are treated like trusted resources. This is wrong and may cause trouble.

We were able to find some permanent XSS vectors in dailymotion.com: videos have a 'Title' field, which is not properly filtered and returned to user in certain conditions. So it becomes possible to execute malicious script content when user is searching for a video to add to his mood. You may also test it by entering word 'saugumas' in dailymotion.com video search field.

Although only a tiny minority of Skype users would ever use this feature, even that tiny minority wouldn't want malicious script content to muck with their day.

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All