XSS bug in Skype for iPhone, iPad allows address book theft

A security researcher have created a proof of concept code that shows that a users AddressBook can be stolen from an iPhone or iPad.

A security researcher have created a proof of concept code that shows that a users AddressBook can be stolen from an iPhone or iPad.

The XSS bug is affecting the latest version of Skype for iOS, and works like that:

A Cross-Site Scripting vulnerability exists in the "Chat Message" window in Skype 3.0.1 and earlier versions for iPhone and iPod Touch devices.Skype uses a locally stored HTML file to display chat messages from other Skype users, but it fails to properly encode the incoming users "Full Name", allowing an attacker to craft malicious JavaScript code that runs when the victim views the message.

The researcher informed Skype of the issue on 24 August, and was told that an update to fix it would be released early in September.

Watch a video demonstration of the XSS bug in action.

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.
See All