Skip to main content

Cross-site scripting

See All Stories

Skype on iOS has a big hole that can send your AddressBook to a hacker [video]

Site default logo image

[youtube=http://www.youtube.com/watch?v=Ou_Iir2SklI]

Security firm SuperEVR posts a video of their exploit which always makes it more real/scary.

I found that Skype also improperly defines the URI scheme used by the built-in webkit browser for Skype. Usually you will see the scheme set to something like, “about:blank” or “skype-randomtoken”, but in this case it is actually set to “file://”. This gives an attacker access to the users file system, and an attacker can access any file that the application itself would be able to access.

File system access is partially mitigated by the iOS Application sandbox that Apple has implemented, preventing an attacker from accessing certain sensitive files. However, every iOS application has access to the users AddressBook, and Skype is no exception.

I imagine the iPad app is also susceptible .

TechCrunch notes:

Skype says it is aware of the security issue, and had issued the following statement:

“We are working hard to fix this reported issue in our next planned release which we hope to roll out imminently. In the meantime we always recommend people exercise caution in only accepting friend requests from people they know and practice common sense internet security as always.”

The non-patronizing first sentence would have been sufficient, Skype.

Skype is on a #Winning streak since it got bought by Microsoft earlier this year.