Skype Cross-Site Scripting Flaw Enables Phone Session Attacks

The cross-site scripting vulnerability occurs in Skype 5.5.1.113, affecting Windows XP, Vista and 7, and stems from a persistent code injection vulnerability due to a validation input error that prevents the VoIP client from properly inspecting phone numbers sourced from users’ home, office and mobile Skype accounts, according to researcher Levent Kayan.

Attackers who exploit the flaw could potentially inject the Skype session with malicious HTML/Javascript code, Kayan said in an advisory, although, “It has not been verified though, if it’s possible to hijack cookies or to attack the underlying operating system,” he added.

During an attack, users could be exposed to malicious code via a booby-trapped profile, which hackers could create by injecting a malicious JavaScript command or Web address in the place of a phone number, Kayan told The Register .

The vulnerability could also enable an attacker to embed an infected link on a victim’s Skype client that leads to a malicious Web site.

id
unit-1659132512259
type
Sponsored post

Skype has since disputed the vulnerability.

“We have had this reported to us by various media outlets and have confirmed that the person is mistaken, this is not the Web window and while it does cause a phone number to be underlined, does nothing other than this,” wrote a Skype spokesperson in an e-mail.

However, this is not the first time that a security flaw has been found in the popular voice-over IP service, soon to be acquired by Microsoft.

In July Kayan had revealed another Skype cross-site scripting vulnerability , which enabled attackers to change a user’s password and hijack their computer remotely. The vulnerability was mitigated slightly due to the fact that the victim user and the attacker had to be friends on Skype for an exploit to work. However, once executed, Kayan said that the attack was easily repeatable.

Meanwhile, another security researcher discovered in May that the Skype client for Apple Mac computers contained a critical zero-day vulnerability allowing attackers to execute remote code attacks and take complete control of the victim’s computer.

“The long and the short of it is that an attacker needs only to send a victim a message and they can gain remote control of the victims Mac. It is extremely wormable and dangerous,” according to Gordon Maddern in a Pure Hacking blog post.