Latest version of Skype susceptible to malicious code injection flaw

The latest version of Skype contains dangerous flaw, which could allow malicious injection of HTML/JavaScript code into a user's phone session.

According to a German security researcher, the latest version of Skype contains dangerous flaw, which could allow malicious injection of HTML/JavaScript code into a user's phone session.

Based on an advisory published on Wednesday, the researcher claims that:

An attacker could for example inject HTML/Javascript code. It has not been verified though, if it's possible to hijack cookies or to attack the underlying operating system. Attacker could give a try using extern .js files...

Skype's comments:

"We have had this reported to us by various media outlets and have confirmed that the person is mistaken, this is not a web window and while it does cause a phone number to be underlined, does nothing other than this," spokeswoman Brianna Reynaud wrote in an email.

However, the researcher said that the unsafe content is displayed when users view a booby-trapped profile, which works by inserting a JavaScript command or web address where a phone number is expected, since the entries in (home, office and mobile phone and city) are embedded via HTML.

Hat tip to The Register.

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All