Share

Related Links

  • Secalert
  • Reed Exhibitions Ltd is not responsible for the content of external websites.

Related Stories

  • Skype subject to "persistent" cross-site scripting vulnerability
    An Armenian security researcher has revealed a cross-site scripting vulnerability on Skype, for which the internet telephony and messaging specialist is reportedly developing a patch.
  • Skype quietly rolls out toolbar update - whether you want it or not
    Internet telephony giant Skype, which was recently acquired by Microsoft, has been spotted distributing unrequested performance and security updates to its users by a security researcher.
  • Skype protocol hack could have been prevented claims StarForce
    The widely reported cracking of the Skype protocol - a process that will eventually allow tech-savvy hackers to eavesdrop on Skype IP data streams, whether or not compact headers are used - could have been prevented, says StarForce Technologies, the Russian copy protection specialist.
  • Skype users hit by Windows scareware scam
    Reports are coming in that cybercriminals are generating Skype calls urging recipients to download and install a Windows system update file. The file, of course, appears to be a scareware application that attempts to fool users that their computer is infected.
  • Skype tackles Peskyspy trojan problem
    Skype, the internet telephony and instant messaging service currently being sold off by parent company eBay, has moved swiftly to meet the well-publicised security threat of the Peskyspy trojan, which reportedly allows hackers to remotely monitor and record Skype voice calls.

Top 5 Stories

News

Another XSS security flaw discovered in Skype; taps Facebook integration

01 August 2011

A security researcher has discovered a potentially major security flaw in Facebook, apparently caused by the communication package/service's recently-launched close integration with Facebook.

According to David Vieira-Kurz of the SecAlert newswire, the Facebook integration has introduced a cross-site scripting (XSS) flaw into the Skype software, allowing the remote hijacking of a Skype session and potentially compromising a user's system.

This is, he claims, due to a lack output sanitisation and allows a victim to be attacked even if they are not a Facebook-friend or Skype contact of the attacker.

Vieira-Kurz has posted a proof-of-concept video showing how the flaw can be exploited.

According to security forum reports, the problem affects the Windows version of Skype from v5.3 onwards and stems from the extension of the Facebook API to the Skype client environment.

The Heisse Online newswire says that the flaw has been advised to Skype and a patch is in the works.

The Softpedia newswire, meanwhile, says that until a patch is developed, Skype users are advised not to have Facebook public profiles open or view the details of online users they do not know.

As reported previously, last month saw an Armenian security researcher reveal an XSS vulnerability on Skype, which the internet telephony and messaging specialist rapidly developed patch.

The flaw, the Noptrix researcher said at the time, stemmed from a "lack of input validation and output sanitisation of the mobile phone profile entry."

This article is featured in:
Application Security  •  Internet and Network Security  •  Malware and Hardware Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×