Skype confirms XSS vulnerability in iPhone app
The XSS vulnerability in use on the iPhone
Source: superevr.com
An XSS bug in the iPhone and iPad version of the Skype client, in combination with an incorrect WebKit setting, allows an attacker to directly access files on the device, including the user's Address Book. The XSS bug itself is an incorrect encoding of the incoming user's "Full Name" which allows JavaScript code to be embedded in it.
The problem is made more exploitable by the way Skype uses the embeddable WebKit browser; Skype developers have set the URI scheme for the embedded browser to "file://". This error allows an attacker to access the file system and read any file that the app would be allowed to read by the iOS application sandbox. One file that every iOS application has access to is the user's SQLlite AddressBook database. In a demonstration of the bugs, Phil Purviance, AppSec Consulting security researcher, showed how it was possible to extract the iPhone address book using the vulnerabilities.
Phil Purviance demonstrates the XSS vulnerability in Skype for iOS
Purviance says he informed Skype of the issue on 24 August and was told that an update to fix it would be released early in September. Skype has now confirmed there is an issue and told media sources "we are working hard to fix this reported issue in our next planned release which we hope to roll out imminently".
See also:
- Vulnerability in Skype allows accounts to be hijacked, a report from The H.
(djwm)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
