Feeds

SkypeFinds another security snafu

More VoIP security woes

Securing Web Applications Made Simple and Scalable

Skype has patched a flaw involving its SkypeFind feature. But the security researcher who discovered the flaw said the VoIP platform remains exposed to cross-zone scripting vulnerabilities, like the latest SkypeFind bug and an earlier flaw involving movie files.

SkypeFind lets users recommend businesses, or post reviews, to others running the voice-over-IP client. Problems have arisen because Skype has neglected to sanitise a field designed to pass across reviewers' names (even though it does clean up data provided in the business item entry and text submitted in a review).

As a result of this partial oversight hackers could replace a reviewer's name with a malicious script, allowing them to inject malware onto machines running the popular application.

"An attacker can inject a malicious script in his Skype's Full Name, and whenever a victim will view a business which was reviewed by the attacker, in the SkypeFind dialog, the malicious script will be executed in an unlocked Local Zone," warns security researcher Aviv Raff, who was also instrumental in revealing previous cross-zone scripting vulnerabilities in Skype.

"Fortunately for the attacker, it is also possible to open the dialog in a specific business details page from the browser, using the skype: URI handler (e.g. skype:?skypefind ). This means that it is possible for the attacker to create a worm," he added.

In a security notice, Skype said it had fixed the SkypeFind feature. It doesn't go into details beyond saying users don't need to update client software. Skype suggested the whole thing was a storm in teacup because the flaw was hard to exploit. "There is one important precondition for the exploit to work. [The] victim must receive Skype contact request authorisation from the attacker's Skype account," it said.

Raff took issue with this assessment, pointing out that hacking techniques to automate users' contact requests would have reduced the difficulty of mounting attacks.

"The victim enters a malicious website [that] automatically calls the attacker via Skype," Raff said, describing one technique. "This can be done by using the Skype: URI handler. The attacker's bot intercept[s] the call and cancels it. Now that the bot has the victim's username, it uses the User.IsAuthorize API call to allow the victim to view the attacker's full name.

"After a few seconds, the malicious website opens the malicious SkypeFind dialog, and the victim gets owned," Raff said.

Raff has posted a Flash-based video demo (created by another security researcher, Guy Mizrahi) of the SkypeFind attack on his blog. Skype's fix fall short in providing adequate safeguards against exploitation, Raff concludes.

"I've contacted Skype security team, and they have provided a quick fix for the full name issue," Raff writes. "Unfortunately, this is not enough. I'm worried that there are probably other ways to inject a script to this dialog."

"I strongly advised Skype to disable this feature until they provide a patch for the cross-zone scripting vulnerability." ®

Mobile application security vulnerability report

More from The Register

next story
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Black Hat anti-Tor talk smashed by lawyers' wrecking ball
Unmasking hidden users is too hot for Carnegie-Mellon
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
NUDE SNAPS AGENCY: NSA bods love 'showing off your saucy selfies'
Swapping other people's sexts is a fringe benefit, says Snowden
Own a Cisco modem or wireless gateway? It might be owned by someone else, too
Remote code exec in HTTP server hands kit to bad guys
prev story

Whitepapers

Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.