He then created a PoC attack taking advantage of this XSS flaw.
When a user receives the message in question and opens it, the exploit code runs automatically in the background and makes the victim's device connect to a server previously set up by the attacker.
From there, the device grabs another payload which orders it to upload the file containing the address book onto the server. All in all, the attack is executed in just a few minutes.
That means that, in theory, the compromise of any of these apps could yield the information contained in the AddressBook file to attackers.
According to H-Online, the researcher shared the information about the vulnerability with Skype at the end of August but, as confirmed by the company, the fix is still in the works.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.