Feeds

SkypeFinds another security snafu

More VoIP security woes

Using blade systems to cut costs and sharpen efficiencies

Skype has patched a flaw involving its SkypeFind feature. But the security researcher who discovered the flaw said the VoIP platform remains exposed to cross-zone scripting vulnerabilities, like the latest SkypeFind bug and an earlier flaw involving movie files.

SkypeFind lets users recommend businesses, or post reviews, to others running the voice-over-IP client. Problems have arisen because Skype has neglected to sanitise a field designed to pass across reviewers' names (even though it does clean up data provided in the business item entry and text submitted in a review).

As a result of this partial oversight hackers could replace a reviewer's name with a malicious script, allowing them to inject malware onto machines running the popular application.

"An attacker can inject a malicious script in his Skype's Full Name, and whenever a victim will view a business which was reviewed by the attacker, in the SkypeFind dialog, the malicious script will be executed in an unlocked Local Zone," warns security researcher Aviv Raff, who was also instrumental in revealing previous cross-zone scripting vulnerabilities in Skype.

"Fortunately for the attacker, it is also possible to open the dialog in a specific business details page from the browser, using the skype: URI handler (e.g. skype:?skypefind ). This means that it is possible for the attacker to create a worm," he added.

In a security notice, Skype said it had fixed the SkypeFind feature. It doesn't go into details beyond saying users don't need to update client software. Skype suggested the whole thing was a storm in teacup because the flaw was hard to exploit. "There is one important precondition for the exploit to work. [The] victim must receive Skype contact request authorisation from the attacker's Skype account," it said.

Raff took issue with this assessment, pointing out that hacking techniques to automate users' contact requests would have reduced the difficulty of mounting attacks.

"The victim enters a malicious website [that] automatically calls the attacker via Skype," Raff said, describing one technique. "This can be done by using the Skype: URI handler. The attacker's bot intercept[s] the call and cancels it. Now that the bot has the victim's username, it uses the User.IsAuthorize API call to allow the victim to view the attacker's full name.

"After a few seconds, the malicious website opens the malicious SkypeFind dialog, and the victim gets owned," Raff said.

Raff has posted a Flash-based video demo (created by another security researcher, Guy Mizrahi) of the SkypeFind attack on his blog. Skype's fix fall short in providing adequate safeguards against exploitation, Raff concludes.

"I've contacted Skype security team, and they have provided a quick fix for the full name issue," Raff writes. "Unfortunately, this is not enough. I'm worried that there are probably other ways to inject a script to this dialog."

"I strongly advised Skype to disable this feature until they provide a patch for the cross-zone scripting vulnerability." ®

Boost IT visibility and business value

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Securing Web Applications Made Simple and Scalable
Learn how automated security testing can provide a simple and scalable way to protect your web applications.