Skype Vulnerable to HTML/JavaScript Code Injection

Tuesday, August 23, 2011

Headlines

69dafe8b58066478aea48f3d0f384820

Researcher Levent Kayan at Noptrix.net has published a recently discovered vulnerability that could allow for an HTML/JavaScript code injection in Skype versions 5.5.0.113 or older installed on windows XP, Vista and 7 systems.

Kayan says Skype suffers from a persistent code injection vulnerability due to a lack of input validation which could possibly allow an attacker to inject HTML/JavaScript code in order to hijack cookies or to attack the underlying operating system (click image to enlarge).

/uploads/remoteimg/11fc9d26b14f8c421879adbf731d52f9.jpg

Kayan reports that Skype has disputed his findings in the proof-of-concept (PoC) related to this vulnerability:

"We have had this reported to us by various media outlets and have confirmed that the person is mistaken, this is not a web window and while it does cause a phone number to be underlined, does nothing other than this," a Skype spokesperson is quoted as saying.

Kayan countered Skype's dismissal of his findings with the following statements:

"First of all, they use HTML to embed all entries in Skype user's profile. The 'parser' is not validating the input, so I was able to inject HTML code (any html tags are possible). My first Skype bug was depending on these entries. Their fix was: Sanitize the output on their webservers. What about the input in the client app?"

"Does it make sense to allow users to 'embed' HTML code in their Skype profile and especially in those 'phone number' fields? Also, there is no option to define any HTML code in Skype client. I was able to find those bugs with Linux Skype client. I guess, they don't focus so much on that client. I will stop here, but you can test it."

Kayan's published PoC can be found here: http://www.noptrix.net/advisories/skype_inject.txt

Source: http://www.sectechno.com/2011/08/22/skype-vulnerable-to-htmljavascript-code-injection/

Help Support Infosec Island by Tweeting and Stumbling our Articles - and join our LinkedIn Group HERE - Thanks!

 

Possibly Related Articles:
24082
Webappsec->General
Javascript Windows Vulnerabilities HTML Linux Skype Headlines Proof of Concept Code Injection
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.