Since last Thursday there were some news circulating about the discovery of a Cross-site Scripting (XSS) in Skype but, after the official confirmation of the company and the alert sent by the INTECO-CERT the news is confirmed. Levent Kayan, a security consultant from Berlin, published his discovery a few days ago; a vulnerability that would allow (a remote attacker) to access a user's account (and take control of it by changing their password, for example, and accessing all their contacts' data).The problem is in the user form (video), which contains a field to enter the mobile phone number and in which you can inject code in JavaScript that, later, can be executed when a contact accesses the user's "malicious" tab, at which time you could take full control of the account and access all the user's data. Seen this way, it is clear that both victim and attacker have to know each other and, therefore, the risk goes down a bit, but it is still an important gap.
Skype is working on an update of its customers to solve the problem, meanwhile, users of Skype 5.3.0.120 and earlier versions for Windows and Mac OS X platforms, should take extreme precautions with the people they add and the profiles they visit. Thinking about it a little, I think the failure is very serious, allowing in a field that is numeric, the introduction of a code in JavaScript is beyond mere cluelessness; something that Skype has not considered like this and has not cataloged it as a critical incidence.
According to Skype's official response, embodied in Adrian Asher, Skype's head of information security:
Source: DDSMediaIn essence, it allows one of your main contacts on Windows to show you messages or redirect you to web pages within the Skype page. In order to take advantage of it, this person would have to be a validated contact of yours and one of the most frequent, and therefore very unlikely to cause problems in the real world, however, it should not be so and will be fixed.
