Security & Privacy + Software & Apps

Cross-Scripting Vulnerability in Skype iOS App Exposes Contact Information

Posted on September 20th, 2011 by

A cross-scripting vulnerability affecting Skype's iOS app has been discovered and a video has been provided, whereby sending a specific text message sent to a user can copy their Address Book. This attack uses Javascript, and, "Executing arbitrary Javascript code is one thing, but I found that Skype also improperly defines the URI scheme used by the built-in webkit browser for Skype." The attack leads to the Address Book data to being sent to a remote server.

Contact information is not confidential in the way that, say, passwords are, but it does contain names, addresses, phone numbers and other data which hackers may use for identity theft, or e-mail addresses to use for sending spam.

Skype will have to update their app to fix this vulnerability. In the meantime, if you receive text messages from people you don't know, you should stop using the Skype app immediately.