Skype subject to "persistent" cross-site scripting vulnerability

According to newswire reports, the Noptrix researcher has notified Skype of the problem, which he describes as "persistent" and affecting v5.3 of the Skype client - for Mac and Windows - onwards.

The flaw, the researcher claims, stems from a "lack of input validation and output sanitisation of the mobile phone profile entry", adding that other input fields may also be affected by the security issue.

In his blog entry on the problem, the researcher details a Javascript proof-of-concept payload demonstration, which he says could the session ID of a remote user to be hijacked.

Infosecurity notes that the researcher - who some newswires are calling a hacker - published the details on his blog late last week in parallel with notifying Skype of his findings. This suggests that Skype is rushing out a patch for the issue at high speed.

The Softpedia newswire is reporting that the XSS flaw is a stored security issue with the Skype client, confirming some newswire reports which have classed the problem as a serious one.

Interestingly, the ZDNet newswire disagrees with this analysis, saying that the problem does not allow the remote hijacker to make calls placing the hacked users' Skype account, as some reports have suggested.

What’s hot on Infosecurity Magazine?