Feeds

SkypeFinds another security snafu

More VoIP security woes

Protecting against web application threats using SSL

Skype has patched a flaw involving its SkypeFind feature. But the security researcher who discovered the flaw said the VoIP platform remains exposed to cross-zone scripting vulnerabilities, like the latest SkypeFind bug and an earlier flaw involving movie files.

SkypeFind lets users recommend businesses, or post reviews, to others running the voice-over-IP client. Problems have arisen because Skype has neglected to sanitise a field designed to pass across reviewers' names (even though it does clean up data provided in the business item entry and text submitted in a review).

As a result of this partial oversight hackers could replace a reviewer's name with a malicious script, allowing them to inject malware onto machines running the popular application.

"An attacker can inject a malicious script in his Skype's Full Name, and whenever a victim will view a business which was reviewed by the attacker, in the SkypeFind dialog, the malicious script will be executed in an unlocked Local Zone," warns security researcher Aviv Raff, who was also instrumental in revealing previous cross-zone scripting vulnerabilities in Skype.

"Fortunately for the attacker, it is also possible to open the dialog in a specific business details page from the browser, using the skype: URI handler (e.g. skype:?skypefind ). This means that it is possible for the attacker to create a worm," he added.

In a security notice, Skype said it had fixed the SkypeFind feature. It doesn't go into details beyond saying users don't need to update client software. Skype suggested the whole thing was a storm in teacup because the flaw was hard to exploit. "There is one important precondition for the exploit to work. [The] victim must receive Skype contact request authorisation from the attacker's Skype account," it said.

Raff took issue with this assessment, pointing out that hacking techniques to automate users' contact requests would have reduced the difficulty of mounting attacks.

"The victim enters a malicious website [that] automatically calls the attacker via Skype," Raff said, describing one technique. "This can be done by using the Skype: URI handler. The attacker's bot intercept[s] the call and cancels it. Now that the bot has the victim's username, it uses the User.IsAuthorize API call to allow the victim to view the attacker's full name.

"After a few seconds, the malicious website opens the malicious SkypeFind dialog, and the victim gets owned," Raff said.

Raff has posted a Flash-based video demo (created by another security researcher, Guy Mizrahi) of the SkypeFind attack on his blog. Skype's fix fall short in providing adequate safeguards against exploitation, Raff concludes.

"I've contacted Skype security team, and they have provided a quick fix for the full name issue," Raff writes. "Unfortunately, this is not enough. I'm worried that there are probably other ways to inject a script to this dialog."

"I strongly advised Skype to disable this feature until they provide a patch for the cross-zone scripting vulnerability." ®

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
China hacked US Army transport orgs TWENTY TIMES in ONE YEAR
FBI et al knew of nine hacks - but didn't tell TRANSCOM
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.