Feeds

SkypeFinds another security snafu

More VoIP security woes

The Essential Guide to IT Transformation

Skype has patched a flaw involving its SkypeFind feature. But the security researcher who discovered the flaw said the VoIP platform remains exposed to cross-zone scripting vulnerabilities, like the latest SkypeFind bug and an earlier flaw involving movie files.

SkypeFind lets users recommend businesses, or post reviews, to others running the voice-over-IP client. Problems have arisen because Skype has neglected to sanitise a field designed to pass across reviewers' names (even though it does clean up data provided in the business item entry and text submitted in a review).

As a result of this partial oversight hackers could replace a reviewer's name with a malicious script, allowing them to inject malware onto machines running the popular application.

"An attacker can inject a malicious script in his Skype's Full Name, and whenever a victim will view a business which was reviewed by the attacker, in the SkypeFind dialog, the malicious script will be executed in an unlocked Local Zone," warns security researcher Aviv Raff, who was also instrumental in revealing previous cross-zone scripting vulnerabilities in Skype.

"Fortunately for the attacker, it is also possible to open the dialog in a specific business details page from the browser, using the skype: URI handler (e.g. skype:?skypefind ). This means that it is possible for the attacker to create a worm," he added.

In a security notice, Skype said it had fixed the SkypeFind feature. It doesn't go into details beyond saying users don't need to update client software. Skype suggested the whole thing was a storm in teacup because the flaw was hard to exploit. "There is one important precondition for the exploit to work. [The] victim must receive Skype contact request authorisation from the attacker's Skype account," it said.

Raff took issue with this assessment, pointing out that hacking techniques to automate users' contact requests would have reduced the difficulty of mounting attacks.

"The victim enters a malicious website [that] automatically calls the attacker via Skype," Raff said, describing one technique. "This can be done by using the Skype: URI handler. The attacker's bot intercept[s] the call and cancels it. Now that the bot has the victim's username, it uses the User.IsAuthorize API call to allow the victim to view the attacker's full name.

"After a few seconds, the malicious website opens the malicious SkypeFind dialog, and the victim gets owned," Raff said.

Raff has posted a Flash-based video demo (created by another security researcher, Guy Mizrahi) of the SkypeFind attack on his blog. Skype's fix fall short in providing adequate safeguards against exploitation, Raff concludes.

"I've contacted Skype security team, and they have provided a quick fix for the full name issue," Raff writes. "Unfortunately, this is not enough. I'm worried that there are probably other ways to inject a script to this dialog."

"I strongly advised Skype to disable this feature until they provide a patch for the cross-zone scripting vulnerability." ®

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
Multipath TCP speeds up the internet so much that security breaks
Black Hat research says proposed protocol will bork network probes, flummox firewalls
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Tor attack nodes RIPPED MASKS off users for 6 MONTHS
Traffic confirmation attack bared users' privates - but to whom?
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Maximize storage efficiency across the enterprise
The HP StoreOnce backup solution offers highly flexible, centrally managed, and highly efficient data protection for any enterprise.