Related Links

  • Secalert
  • Reed Exhibitions Ltd is not responsible for the content of external websites.

Top 5 Stories


Another XSS security flaw discovered in Skype; taps Facebook integration

01 August 2011

A security researcher has discovered a potentially major security flaw in Facebook, apparently caused by the communication package/service's recently-launched close integration with Facebook.

According to David Vieira-Kurz of the SecAlert newswire, the Facebook integration has introduced a cross-site scripting (XSS) flaw into the Skype software, allowing the remote hijacking of a Skype session and potentially compromising a user's system.

This is, he claims, due to a lack output sanitisation and allows a victim to be attacked even if they are not a Facebook-friend or Skype contact of the attacker.

Vieira-Kurz has posted a proof-of-concept video showing how the flaw can be exploited.

According to security forum reports, the problem affects the Windows version of Skype from v5.3 onwards and stems from the extension of the Facebook API to the Skype client environment.

The Heisse Online newswire says that the flaw has been advised to Skype and a patch is in the works.

The Softpedia newswire, meanwhile, says that until a patch is developed, Skype users are advised not to have Facebook public profiles open or view the details of online users they do not know.

As reported previously, last month saw an Armenian security researcher reveal an XSS vulnerability on Skype, which the internet telephony and messaging specialist rapidly developed patch.

The flaw, the Noptrix researcher said at the time, stemmed from a "lack of input validation and output sanitisation of the mobile phone profile entry."

This article is featured in:
Application Security  •  Internet and Network Security  •  Malware and Hardware Security


Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×