Skype: We’re Aware of XSS Exploit, iPhone App Update Coming

Yesterday the security blog Superevr reported in detail an XSS vulnerability of the current Skype iPhone app, that allows someone to steal your entire address book:

A Cross-Site Scripting vulnerability exists in the “Chat Message” window in Skype 3.0.1 and earlier versions for iPhone and iPod Touch devices.

Skype uses a locally stored HTML file to display chat messages from other Skype users, but it fails to properly encode the incoming users “Full Name”, allowing an attacker to craft malicious JavaScript code that runs when the victim views the message.

(Above: Run away if you see a chat like this)

(Above: XSS exploit running)

The test was done on an iPhone 4 running iOS 4.3.5, and the security researcher Phil mentions he had pointed out this exploit earlier in late August, and was told an ‘update was coming’. Skype has now responded to the documented exploit via TechCrunch, and reports a fix is coming:

“We are working hard to fix this reported issue in our next planned release which we hope to roll out imminently. In the meantime we always recommend people exercise caution in only accepting friend requests from people they know and practice common sense internet security as always.”

So how to protect yourself and your contact list? Wait for it…only accept friend requests from people you know!

Check out the video of the entire exploit in action below:

Great find by Phil. I use Skype all the time and the amount of ‘spam’ contact requests are definitely overwhelming. Using due diligence is one way to protect yourself.

[via Apple Headlines]