AOH :: HP Unsorted A :: BX1690.HTM

Attackers can SkypeFind you



Attackers can SkypeFind you
Attackers can SkypeFind you



A patch for the cross-zone scripting vulnerability in Skype is still not
available. As I mentioned in my first advisory, Skype renders HTML pages in
several dialogs.
One of these dialogs is used by a feature called "SkypeFind". This feature,
available from version 3.1, allows Skype users promote and review businesses
around the world. Sadly, it could also be used by attackers to own Skype
users' machines.

Within this feature any Skype user can add a new business and review an
existing business. Skype does a great job sanitizing the data provided in
the business item entry, and also the text provided in the user's reviews.
Unfortunately, they forgot to sanitize the full name of the reviewers. So,
an attacker can inject a malicious script in his Skype's Full Name, and
whenever a victim will view a business which was reviewed by the attacker,
in the SkypeFind dialog, the malicious script will be executed in an
unlocked Local Zone!

I've contacted Skype security team, and they have provided a quick server
side fix for the full name issue.
Unfortunately, this is not enough! I'm worried that there are probably other
ways to inject a script to this dialog. 
I advised Skype to disable this feature until they provide a patch for the
cross-zone scripting vulnerability. For no good reason, they have decided to
decline my advice.

More information:
http://aviv.raffon.net/2008/01/31/AttackersCanSkypeFindYou.aspx 

--Aviv.


The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.