Skype is Still Vulnerable

An Armenian hacker is claiming that Skype has failed to learn from prior security lessons, falling victim to a cross-site scripting (XSS) vulnerability similar to one it patched in May, which would allow users to redirect victims to unwanted websites or run arbitrary code.  The May vulnerability allowed users to fool the Mac client of Skype into running arbitrary code as the client didn't check, or sanitise, instant messages to ensure they were free of malicious code.

While Skype issued a low-priority patch at the time, a 28-year-old Armenian-based security engineer, Levent "noptrix" Kayan, claimed on Wednesday night that a similar XSS vulnerability existed elsewhere in Skype's software. He said that the failure to sanitise certain user information or the output rendered in Skype clients could still allow code to be executed.

In particular, Kayan claimed that he could see remote users' session information, which he said a malicious user could utilise to masquerade as the remote user and make calls on their account. He also said it could be used to take advantage of other holes, possibly allowing full control over the PC. Both of the latest versions of Windows and Mac clients are affected.
HE told that "An attacker would need to [submit] malicious code. The victim doesn't have to do anything. He will be attacked, when he just logs into his account."
Skype said the vulnerability was considered a minor issue and that it had developed a fix for it which would be deployed next week.
Skype's head of information security, Adrian Asher, said that in order to exploit this, a person would have to be a validated contact of yours and one of the most frequent people you are in contact with and was therefore very unlikely to cause any issues in the real world. Nevertheless, he said the vulnerability shouldn't have existed and it would be fixed.
Additionally, Skype said that the session information that Kayan had been able to access was in relation to the web session IDs and not Skype IDs, suggesting that the attacker couldn't make calls using the exploit. It did, however, concede that it was possible for a victim's contacts to redirect them to any website using the web browser built into the Skype client, but stressed that only validated contacts would be able to do so. In the meantime, it said users should not authorise people they do not know and/or do not want to talk to.
HackLabs director, Chris Gatford, said that it was common to come across these sorts of vulnerabilities in the work penetration testing of client systems his company does.
"I would suggest that 80 per cent, perhaps even 90 per cent of the time, cross-site scripting vulnerabilities are present," he said.
Gatford mentioned the previous XSS vulnerability in the Skype client and thought that it was surprising that Skype had not patched all of its input validation problems when it was previously brought to its attention. "This would be a simple fix for them. To be honest, I'm kind of surprised they didn't learn their lesson the first time and extend the fix system-wide then."

-News Source (ZDNet)


Voice Of GREYHAT is a non-profit Organization propagating news specifically related with Cyber security threats, Hacking threads and issues from all over the spectrum. The news provided by us on this site is gathered from various Re-Sources. if any person have some FAQ's in their mind they can Contact Us. Also you can read our Privacy Policy for more info. Thank You ! -Team VOGH
If you enjoyed VOGH News, Articles Then Do Make sure you to Subscribe Our RSS feed. Stay Tuned with VOGH and get Updated about Cyber Security News, Hacking Threads and Lots More. All our Articles and Updates will directly be sent to Your Inbox. Thank You! -Team VOGH

Related Posts Plugin for WordPress, Blogger...