July 15, 2011 at 21:03XSS vulnerability in Skype
Skype’s popular VoIP program contains a vulnerability that could allow an attacker to gain access to an account. Levent Kayan, who found the vulnerability, in his review indicated that in some cases it is possible to gain access to the user's system.
An attacker can embed JavaScript in the mobile phone field or the “about myself” field. These fields are not filtered enough, and when someone from the contact list of the attacker enters Skype, the embedded code is automatically executed.
XSS vulnerability is contained in Skype version 5.3.0.120 and earlier, running Windows and Mac, and it does not always play. Linux version is not affected. At the moment, the fix did not work.
Skype developers have confirmed the vulnerability and promised to release a patch within the next week. They also explained why the vulnerability is not always reproduced: for this it is necessary that the attacker be in the list of popular contacts. They also classified the problem as not very significant, as the attacker supposedly can only show the message or redirect to another page.
A source
An attacker can embed JavaScript in the mobile phone field or the “about myself” field. These fields are not filtered enough, and when someone from the contact list of the attacker enters Skype, the embedded code is automatically executed.
XSS vulnerability is contained in Skype version 5.3.0.120 and earlier, running Windows and Mac, and it does not always play. Linux version is not affected. At the moment, the fix did not work.
Skype developers have confirmed the vulnerability and promised to release a patch within the next week. They also explained why the vulnerability is not always reproduced: for this it is necessary that the attacker be in the list of popular contacts. They also classified the problem as not very significant, as the attacker supposedly can only show the message or redirect to another page.
A source