Warning: Skype For iPhone And iPad Apps Have Security Vulnerability That Allows Attacker To Steal Your Address Book

Skype for iPhone and iPad

If you use Skype’s app on your iOS devices then continue to read this article.

TechCrunch reports that Skype for iPhone and Skype for iPad have a cross-site scripting vulnerability in the Chat message window, which allows an attacker to run malicious javascript code that can enable the attacker to get information, including a user’s address book from the victim’s iOS device.

AppSec Consulting security researcher Phil Purviance who discovered the vulnerability explains:

Executing arbitrary Javascript code is one thing, but I found that Skype also improperly defines the URI scheme used by the built-in webkit browser for Skype. Usually you will see the scheme set to something like, “about:blank” or “skype-randomtoken”, but in this case it is actually set to “file://”. This gives an attacker access to the users file system, and an attacker can access any file that the application itself would be able to access.

File system access is partially mitigated by the iOS Application sandbox that Apple has implemented, preventing an attacker from accessing certain sensitive files. However, every iOS application has access to the users AddressBook, and Skype is no exception.

Phil has also created a video to show how the vulnerability can be exploited:

He apparently reported the security issue to Skype nearly a month ago. Skype has acknowledged the issue and has issued the following statement:

“We are working hard to fix this reported issue in our next planned release which we hope to roll out imminently. In the meantime we always recommend people exercise caution in only accepting friend requests from people they know and practice common sense internet security as always.”

Let’s hope that the fix is released soon, until then please be extra cautious while accepting friend requests.

[Phil’s blog via TechCrunch]

Like this post? Share it!

  • nabariba

    cool, lets get hacking

  • kashyap

    its written skye in heading…please correct

    • http://www.iphonehacks.com/ iPhoneHacks

      Thanks for pointing it out, we’ve corrected the typo.

  • http://www.motorbeam.com/ fas

    Oh no, why is Skpye not working on it.

  • FredMC

    Something else that should be pointed out is that the Skype app for the iPad doesn’t work on jailbroken pads.

    • guest

      yes it does

    • Another Guest

      What a stupid-ass statement. Works fine on JB iPad.

  • Зло

    Address Book !Who gona need that ?Mby loosers need some tel numbers from girls .Who know .But its just stupid 2 get someone address book

  • l8te9ight

    Phil Purviance you must be the most bored mofo in the world. Skye vulnerabilities??? Seriously, dude has too much time on his hands.