October 22, 2014

Skype Code Injection Vulnerability

(LiveHacking.Com) – Noptrix.net has published details of a new a Skype HTML/Javascript code injection vulnerability. Affecting Skype versions <= 5.5.0.113 on Windows (XP, Vista, 7), the advisory describes a persistent code injection vulnerability due to a lack of input validation and output sanitization of home, office and mobile profile entries.

By using this vulnerability an attacker could inject HTML/Javascript code. Noptrix.net has not verified if it’s possible to hijack cookies or to attack the underlying operating system.

Share and Enjoy:
  • Print
  • Digg
  • StumbleUpon
  • del.icio.us
  • Facebook
  • Yahoo! Buzz
  • Twitter
  • Google Bookmarks

Comments

  1. I´ve followed the steps of Noptrix (http://packetstormsecurity.org/files/view/104155/skypeinject-xss.txt) and i believe it is possible to hijack the cookies with the help of Fiddler… Someone please correct me if i´m wrong… i´ll update soon :)

  2. Yes, it is working fine with the last version in Windows.

  3. All versions of Skype are vulnerable.