XSS vulnerability in Skype

    Skype’s popular VoIP program contains a vulnerability that could allow an attacker to gain access to an account. Levent Kayan, who found the vulnerability, in his review indicated that in some cases it is possible to gain access to the user's system.

    An attacker can embed JavaScript in the mobile phone field or the “about myself” field. These fields are not filtered enough, and when someone from the contact list of the attacker enters Skype, the embedded code is automatically executed.

    XSS vulnerability is contained in Skype version and earlier, running Windows and Mac, and it does not always play. Linux version is not affected. At the moment, the fix did not work.

    Skype developers have confirmed the vulnerability and promised to release a patch within the next week. They also explained why the vulnerability is not always reproduced: for this it is necessary that the attacker be in the list of popular contacts. They also classified the problem as not very significant, as the attacker supposedly can only show the message or redirect to another page.

    A source

    Also popular now: