back to article Skype bug may expose users to malicious code

The latest version of Skype for Windows contains a security vulnerability that allows attackers to inject potentially dangerous code into a user's phone session, a German security researcher has reported. The XSS, or cross-site scripting, vulnerability in Skype 5.5.0.113 is the result of the voice-over-IP client failing to …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    What HTML is processed?

    That's not a browser window, and the tool used to write the Windows Skype GUI has controls that allow *some* HTML to be used in labels like that. AFAIK it isn't a full HTML processor, thereby I guess it doesn't process Javascript. Maybe hyperlinks are supported, maybe not. Can the reseacher demonstrate it? He showed the vulnerability, and given the context a proof of concept is not difficult to show.

  2. The BigYin

    I was curious...

    ...so I tried it. Skype will allow "alert()" for a number, but converts it to a numeric equivalent.

    HTML tags are not permitted, in fact special characters are not permitted.

    This is on Skype 5.5.0.113 on Win7

    If you try via the website, it either freaks or strips HTML tags.

    So I am not altogether sure how this person managed to get their "injection" done.

    1. trarch
      Boffin

      View Profile

      To get it to work, you need to edit your profile phone numbers and then view the profile from *another* account (Right click on contact -> 'View Profile').

      1. The BigYin

        Err...

        ...I did figure that much, but I still don't see how it would be possible if the site/client had disallowed/altered the data.

        Might try again at lunch.

  3. david 63

    Kazan...

    ...stop being lazy and get into a lab and do it.

    Or shut up with the FUD.

  4. Anonymous Coward
    Anonymous Coward

    It's a TRichLabel - what is it capable of?

    A quick look with Spy++ says it's a TRichLabel control, and it used for any data in the profile window, including the web site address. Thereby what works there works in other fields too, probably hyperlink shoud work.. What else is supported depends on what kind of libary implementi that lable they have used, I would be surprised if it supports Javascript.

  5. NomNomNom
    Thumb Down

    shoulda listened to me folks

    For years I have been warning the government and public to leave phones well alone. But no, successive companies and governments had to mess with them, making them smaller "compact", cordless ("mobile") and hardware free ("software" based phones such as Skype).

    Well you reap what you sow.

This topic is closed for new posts.

Other stories you might like