A new Skype vulnerability has been revealed in the iOS Skype software version 3.0.1 and earlier, which can allow attackers to execute malicious JavaScript code enabling them to snatch your address book.
The Skype vulnerability was discovered AppSec Consulting security researcher Phil Purviance who also made the video and was reported to Skype newly in month ago but Skype has still yet to roll out a fix. Watch a video after the jump to see how Skype iOS applications are vulnerability to the attack.
Skype are currently aware of the security issue and are apparently working hard to rectify the problem as quickly as possible. Skype has released a statement saying:
“We are working hard to fix this reported issue in our next planned release which we hope to roll out imminently. In the meantime we always recommend people exercise caution in only accepting friend requests from people they know and practice common sense internet security as always.”
Phil Purviance explains the issue:
“Executing arbitrary Javascript code is one thing, but I found that Skype also improperly defines the URI scheme used by the built-in webkit browser for Skype. Usually you will see the scheme set to something like, “about:blank” or “skype-randomtoken”, but in this case it is actually set to “file://”. This gives an attacker access to the users file system, and an attacker can access any file that the application itself would be able to access.”
“File system access is partially mitigated by the iOS Application sandbox that Apple has implemented, preventing an attacker from accessing certain sensitive files. However, every iOS application has access to the users AddressBook, and Skype is no exception.”
Source: Tech Crunch
Latest Geeky Gadgets Deals
Disclosure: Some of our articles include affiliate links. If you buy something through one of these links, Geeky Gadgets may earn an affiliate commission. Learn about our Disclosure Policy.
