May 17, 2012

You are here: Home / Archives for skype

Has Skype for iOS Vulnerability Been Fixed?

September 28, 2011 By

(LiveHacking.Com) - A new version of Skype (3.5.84) for the iPhone and iPad appeared in the App Store yesterday with lots of new features like Bluetooth support and image stabilization. But the “What’s New” section also mentions “Bugfix for security vulnerability.” Currently Skype are keeping quiet about exactly which “security vulnerability” has been fixed, however it is most likely to be the Cross-Site Scripting vulnerability found in the “Chat Message” window which could allow an attacker to download a copy of the phone’s address book.

The vulnerability, which was found last week, can be exploited by simply sending a specially crafted chat message to a Skype user. Skype uses a locally stored HTML file to display chat messages from other users, however it doesn’t properly encode the incoming users “Full Name”. The result is that an attacker can create some  malicious JavaScript code that runs when the victim views the message.

Skype has a published a blog post about the new iOS version where it explains the new anti-shake feature and the support for Bluetooth, however it mentions nothing about the security fix.

It is recommended that every iPhone/iPad Skype user updates to this new version but it is also worth noting that there have been reports of problems with the new version including 1) Skype Credit not showing 2) Contacts slow to sync 3) Account settings (e.g. photo, name, profile) not appearing.

To remedy these, Skype suggest deleting your Skype app and starting a new installation from scratch. To delete the app, press and hold the app icon on your iPhone, and click the ‘X’. To re-install, return to the AppStore, and install.

Filed Under: Security, Vulnerability Tagged With: , , , , , ,

Skype for iOS Vulnerability Allows Attacker to Steal Address Book Just By Sending a Chat Message

September 21, 2011 By

(LiveHacking.Com) - A Cross-Site Scripting vulnerability has been found in the “Chat Message” window of Skype for iOS. The vulnerability can be exploited by simply sending a specially crafted chat message to a Skype user. Skype uses a locally stored HTML file to display chat messages from other users, however it doesn’t properly encode the incoming users “Full Name”. The result is that an attacker can create some  malicious JavaScript code that runs when the victim views the message.

Because of the way Skype uses the built-in webkit browser any Javascript run via the Chat Message exploit can access the local user file system. Access to files on iOS devices is restricted by the underlying operating system but every iOS application has access to the users AddressBook. This has allowed Phil Purviance to create a proof of concept injection and attack that downloads an user’s address book to a remote server just by sending a Skype Chat Message.

Phil told Skype about the almost a month ago and was told that an update would be released early this month.

Skype says it is aware of the security issue, and had issued the following statement:

“We are working hard to fix this reported issue in our next planned release which we hope to roll out imminently. In the meantime we always recommend people exercise caution in only accepting friend requests from people they know and practice common sense internet security as always.”

Phil also created a video showing the exploit in action:

Filed Under: Security, Vulnerability Tagged With: , , ,

Skype Code Injection Vulnerability

August 22, 2011 By

(LiveHacking.Com) - Noptrix.net has published details of a new a Skype HTML/Javascript code injection vulnerability. Affecting Skype versions <= 5.5.0.113 on Windows (XP, Vista, 7), the advisory describes a persistent code injection vulnerability due to a lack of input validation and output sanitization of home, office and mobile profile entries.

By using this vulnerability an attacker could inject HTML/Javascript code. Noptrix.net has not verified if it’s possible to hijack cookies or to attack the underlying operating system.

Filed Under: Vulnerability Tagged With: , ,

Is There an Unpatched Vulnerability in Skype for Mac? Yes and No.

May 9, 2011 By

Gordon Maddern caused quite a stir over the weekend when he blogged about a zero day vulnerability in the Mac OS X client of Skype. According to Gordon, who is part of Pure Hacking a security consultancy company, he discovered the vulnerability over a month ago and notified Skype. They responded with “Thank you for showing an interest in skype security, we are aware of this issue and will be addressing it in the next hotfix.” However after a month of silence Gordon decided to go public.

Skype responded quickly saying that the vulnerability has been fixed. “At the time they alerted us, we were already aware of the issue and were working on a fix to protect Skype users from this vulnerability… We subsequently released a hotfix for this problem in a minor update (Skype for Mac version 5.1.0.922) on April 14th.”

However the problem was that since there were no reports of this vulnerability being exploited in the wild, Skype did not prompt its users to install this update, as, according to Skype, “there is another update in the pipeline that will be sent out early next week.”

Gorden has subsequently updated his blog: “We can confirm that skype has fixed this issue in 5.1.0.922. It requires a manual update. All prior versions are vulnerable. According to skype this patch will be pushed out next week.”

To update your Skype for Mac client just click on Skype -> Check for Updates or you can download the software here.

Analysis: Skype got this wrong by not notifying its users of the upgrade. A month is a long time in information security. If another hacker discovered the same flaw and launched an attack it could have harmed Skype’s reputation enormously.

Filed Under: Vulnerability Tagged With: , , ,

Skype for Android Updated – Fixes Privacy Vulnerability

April 22, 2011 By

A few days ago Justin Case of the Android Police web site discovered that the Android version of Skype uses a simple sqlite3 database to store contacts, profile information and instant message logs, but that the permissions of the database where badly set exposing this private information to any other app on the device which cared to take a look.

Now Skype have updated the app to version 1.0.0.983 and in doing so have corrected the permissions on the database files. According to a post on the Skype Security blog Skype “have had no reported examples of any 3rd party malicious application misusing information from the Skype directory on Android devices” but they “will continue to monitor closely.”

Skype is recommending that users update to this new version as soon as possible in order to help protect your information from the Get Skype section on skype.com, or from the Android Market links on skype.com.

According to the Android Police web site Justin Case, who originally found the issue, has taken a look at the updated version and confirmed that the proof-of-concept app he developed to demonstrate the vulnerability no longer functions.

As well as fixing the database permissions Skype have also added 3G calling in the U.S. Previously, calling in the States was only available via Wi-Fi (except for Verizon users who needed to download a special version of the app).

Filed Under: Android, Vulnerability Tagged With: , , ,

Skype for Android Stores Private Data in Unencrypted DB Accessible by Other Apps

April 18, 2011 By

Justin Case of the Android Police web site has discovered that the Android version of Skype uses a simple sqlite3 database to store contacts, profile information and instant message logs. This isn’t bad in itself, but due to a lack of encryption and badly set permissions, this private information is accessible to any other app on the device which cares to take a look.

The databases are stored in the Skype data directory (which has the same name as the configured Skype username). The main database (imaginatively called main.db) has tables for data like account balance, full name, date of birth, city/state/country, home phone, office phone, cell phone, email addresses, webpage, bio and so on. There are also other tables with similar information on the contacts and another table recording the instant messages.

Justin has created a proof-of-concept app that once installed on the device can read the Skype databases. It would be relatively easy for a malicious hacker to create a harmless looking app which in the background snoops around the Skype databases and sends the information to a collection server on the Internet.

Skype has responded to this vulnerability by saying that they “take your privacy very seriously and are working quickly to protect you from this vulnerability, including securing the file permissions on the Skype for Android application.”

They also say that “to protect your personal information, we advise users to take care in selecting which applications to download and install onto their device.”

Filed Under: Android, Android, Vulnerability Tagged With: , ,

Web sites can launch iPhone applications without prompting

November 11, 2010 By

Specially crafted web sites can launch iPhone and iPod Touch apps without the Safari browser asking the user for permission when certain URL protocol handlers (URL schemes) are called. For instance, according to security researcher Nitesh Dhanjani, a web site can use the iFrame <iframe src=”skype://14085555555?call”></iframe> to launch a Skype app and automatically call a number – provided that the user has saved Skype access data. Criminals would also be able to play around with a number of other applications. For a list of the protocols currently used in the iPhone, see the URL scheme index.

Read the full story here.

Source:[TheHSecurity]

Filed Under: Apple, Apple, Vulnerability Tagged With: , , ,