Oh, splendid!
Cue mass outrage from assembled fanbois in 3..2..1..
GJC
If you use Skype on an iPhone or iPod touch, Phil Purviance can steal your device's address book simply by sending you a chat message. In a video posted over the weekend, the security researcher makes the attack look like child's play. Type some JavaScript commands into the user name of a Skype account, use it to send a chat …
but in the end it is microsoft's responsibility.
Wheeee! new opportunities for MS bashing... is it MS's secret plan to bring the iphone into disrepute?
Seriously guys... if you must re-use browser code for everything, how hard would it be to build no-script into your embedded browsers?
IN Apple's world Apple is king. So when Apple rejects an app because they don't like its content then that is accepted. Now just because Skype is a respected app doesn't mean that Apple cannot remove the infected app from its store to protect its users from downloading an app which they know to be an issue. So although ultimately this is Microsoft's issue to fix Apple has done nothing to mitigate or bridge the gap.
You know, the one where it says "If you use Skype on an iPhone or iPod touch".
In other words, Apple-only products using Apple-only software and apps that are Apple-software compatible.
Now, please explain how anyone could possibly crowbar Microsoft into that argument, except for a troll.
Oh, right.
So Apple should restrict address book data from apps? Even contact based apps like Skype?
Skype has to have an address book to work at all, restricting access in iOS isn't going to change that, all it's going to do is annoy iOS users who will be forced to upload their contacts to Skype from their computers instead while Skype says "sorry peeps, nasty old Apple won't let you do it the easy way".
I also don't see how anyone could expect an OS to distinguish between a messaging app uploading data to a remote host in the normal course of usage and uploading data to a remote host because it's been coerced to do so, this is Skype's fail pure and simple.
"So Apple should restrict address book data from apps? Even contact based apps like Skype?"
No, it should inform users if an app will attempt to access their contacts when it's installed. Clearly this wouldn't have prevented this Skype bug, and it's entirely possible that it could happen on Android seeing as when you install it you give it access to your contacts.
I do however think that the Android security model is vastly superior as it gives me warning if somebody wants to snarf my contacts. If a game tells me it wants access to Fine Location (GPS), Contacts & Internet, then there's no way I'm installing it.
So Apple should inform you...that an app will use your address book that has as a feature the use a common shared address book? Ok..fine...99% of users will click "Ok" to that, JUST AS THEY DO WITH ANDROID and Skype.
As for your location example, Apple does indeed warn you that an application wants to access your location data and you can install the the app but deny access to location services at the time of installation or at any time in the future as you wish.
Since there is malware on Android that's meant to "snarf" your stuff I wouldn't install those on my Android phone either.
If you blocked it from the address book it'd make the app pointless since I'd image (not sure as I don't use Skype) that you'd stored your skype addresses along with your usual contact info no?
Also how many Droid users when installing Skype if told it needed access to their address book would block it since it seems a pretty obvious function of a communications app.
Fail on the part of Skype rather than Apple for failing to block basic javascript injection IMHO.