back to article Skype for iPhone makes stealing address books a snap

If you use Skype on an iPhone or iPod touch, Phil Purviance can steal your device's address book simply by sending you a chat message. In a video posted over the weekend, the security researcher makes the attack look like child's play. Type some JavaScript commands into the user name of a Skype account, use it to send a chat …

COMMENTS

This topic is closed for new posts.
  1. Geoff Campbell

    Oh, splendid!

    Cue mass outrage from assembled fanbois in 3..2..1..

    GJC

  2. P. Lee

    Apple tries

    but in the end it is microsoft's responsibility.

    Wheeee! new opportunities for MS bashing... is it MS's secret plan to bring the iphone into disrepute?

    Seriously guys... if you must re-use browser code for everything, how hard would it be to build no-script into your embedded browsers?

    1. L1feless

      I agree yet I don't

      IN Apple's world Apple is king. So when Apple rejects an app because they don't like its content then that is accepted. Now just because Skype is a respected app doesn't mean that Apple cannot remove the infected app from its store to protect its users from downloading an app which they know to be an issue. So although ultimately this is Microsoft's issue to fix Apple has done nothing to mitigate or bridge the gap.

    2. Pascal Monett Silver badge
      Thumb Down

      Excuse me while I re-read the first line of the article

      You know, the one where it says "If you use Skype on an iPhone or iPod touch".

      In other words, Apple-only products using Apple-only software and apps that are Apple-software compatible.

      Now, please explain how anyone could possibly crowbar Microsoft into that argument, except for a troll.

      Oh, right.

  3. Flat_Steve

    Reminds me of...

    Bobby Tables.

  4. jubtastic1

    Regarding point two

    So Apple should restrict address book data from apps? Even contact based apps like Skype?

    Skype has to have an address book to work at all, restricting access in iOS isn't going to change that, all it's going to do is annoy iOS users who will be forced to upload their contacts to Skype from their computers instead while Skype says "sorry peeps, nasty old Apple won't let you do it the easy way".

    I also don't see how anyone could expect an OS to distinguish between a messaging app uploading data to a remote host in the normal course of usage and uploading data to a remote host because it's been coerced to do so, this is Skype's fail pure and simple.

    1. My Alter Ego

      Regarding point two

      "So Apple should restrict address book data from apps? Even contact based apps like Skype?"

      No, it should inform users if an app will attempt to access their contacts when it's installed. Clearly this wouldn't have prevented this Skype bug, and it's entirely possible that it could happen on Android seeing as when you install it you give it access to your contacts.

      I do however think that the Android security model is vastly superior as it gives me warning if somebody wants to snarf my contacts. If a game tells me it wants access to Fine Location (GPS), Contacts & Internet, then there's no way I'm installing it.

      1. NotTellinYou

        huh?

        So Apple should inform you...that an app will use your address book that has as a feature the use a common shared address book? Ok..fine...99% of users will click "Ok" to that, JUST AS THEY DO WITH ANDROID and Skype.

        As for your location example, Apple does indeed warn you that an application wants to access your location data and you can install the the app but deny access to location services at the time of installation or at any time in the future as you wish.

        Since there is malware on Android that's meant to "snarf" your stuff I wouldn't install those on my Android phone either.

    2. Aichikenmin

      I believe that would be the *phone* contacts, not the Skype ones.

  5. theamoeba

    oh look, i can do it too. :/

  6. Anonymous Coward
    Anonymous Coward

    Surely..

    If you blocked it from the address book it'd make the app pointless since I'd image (not sure as I don't use Skype) that you'd stored your skype addresses along with your usual contact info no?

    Also how many Droid users when installing Skype if told it needed access to their address book would block it since it seems a pretty obvious function of a communications app.

    Fail on the part of Skype rather than Apple for failing to block basic javascript injection IMHO.

  7. Fuzz

    idiots

    Why on earth would a chat client need to interpret javascript?

  8. Guido Esperanto

    hmm

    this problem exclusive to iphone or are droids susceptible as well?

    1. NotTellinYou

      No idea!

      Ask Microsoft!

  9. Simon Crowe

    XKCD covered this nicely

    http://xkcd.com/327/

    1. Falanx

      Falt_Steve beat you to it by three hours :-)

  10. Andy Watt

    Skype in crappy software shocker

    Uh... this would be the same company whose stupendously huge distributed network fell down last year and had to be helped back onto its' knees using thousands of temporary supernodes, after a pisspoor windows Skype application?

    Blimey. Whoda thunk it.

  11. Zippy the Pinhead

    This is Apple's problem

    Apple of course will try to shift the blame to MS but it's not their problem! Apple has a walled garden approach and this is something their App Market testers should have tested for.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2021