XSS bug in Skype iPhone app allows address book theft
Posted on 20 September 2011.
A bug in the latest version of Skype for iPhone and iPod touch makes its users vulnerable to having their address book stolen just by viewing a specially crafted message, says AppSec Consulting security researcher Phil Purviance.


"Skype uses a locally stored HTML file to display chat messages from other Skype users, but it fails to properly encode the incoming users 'Full Name', allowing an attacker to craft malicious JavaScript code that runs when the victim views the message," he explained on his blog.

He then created a PoC attack taking advantage of this XSS flaw.

When a user receives the message in question and opens it, the exploit code runs automatically in the background and makes the victim's device connect to a server previously set up by the attacker.

From there, the device grabs another payload which orders it to upload the file containing the address book onto the server. All in all, the attack is executed in just a few minutes.

Setting aside for a moment the Skype client's inability to properly sanitize JavaScript code, the bigger problem demonstrated by this PoC is the fact that - in spite of the existence of the iOS application sandbox which protects most files on the device - the AddressBook file is accessible to every application installed on it.

That means that, in theory, the compromise of any of these apps could yield the information contained in the AddressBook file to attackers.

According to H-Online, the researcher shared the information about the vulnerability with Skype at the end of August but, as confirmed by the company, the fix is still in the works.






Spotlight

New Zeus variant targets users of 150 banks

Posted on 19 December 2014.  |  A new variant of the infamous Zeus banking and information-stealing Trojan has been created to target the users of over 150 different banks and 20 payment systems in 15 countries, including the UK, the US, Russia, Spain and Japan.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  
DON'T
MISS

Mon, Dec 22nd
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //