Another XSS security flaw discovered in Skype; taps Facebook integration

According to David Vieira-Kurz of the SecAlert newswire, the Facebook integration has introduced a cross-site scripting (XSS) flaw into the Skype software, allowing the remote hijacking of a Skype session and potentially compromising a user's system.

This is, he claims, due to a lack output sanitisation and allows a victim to be attacked even if they are not a Facebook-friend or Skype contact of the attacker.

Vieira-Kurz has posted a proof-of-concept video showing how the flaw can be exploited.

According to security forum reports, the problem affects the Windows version of Skype from v5.3 onwards and stems from the extension of the Facebook API to the Skype client environment.

The Heisse Online newswire says that the flaw has been advised to Skype and a patch is in the works.

The Softpedia newswire, meanwhile, says that until a patch is developed, Skype users are advised not to have Facebook public profiles open or view the details of online users they do not know.

As reported previously, last month saw an Armenian security researcher reveal an XSS vulnerability on Skype, which the internet telephony and messaging specialist rapidly developed patch.

The flaw, the Noptrix researcher said at the time, stemmed from a "lack of input validation and output sanitisation of the mobile phone profile entry."

What’s Hot on Infosecurity Magazine?