Feeds

Skype for iPhone makes stealing address books a snap

Just add JavaScript

The Essential Guide to IT Transformation

If you use Skype on an iPhone or iPod touch, Phil Purviance can steal your device's address book simply by sending you a chat message.

In a video posted over the weekend, the security researcher makes the attack look like child's play. Type some JavaScript commands into the user name of a Skype account, use it to send a chat message to someone using the latest version of Skype on an iPhone or iPod touch, and load a small program onto a webserver. Within minutes, you'll have a fully-searchable copy of the victim's address book.

“I'm going to send a user on an iPhone a message, and when he sees the message, the exploit will run,” the narrator says. “When the exploit code is run, the victim's iPhone will automatically make a new connection to my server to grab a larger payload instructing the victim's iPhone to upload its entire address book file to the server.”

The attack exploits two oversights that just go to show that even elaborately erected walled gardens such as Apple's can contain threats that menace its blissful inhabitants. The first is a failure by Skype to sanitize potentially dangerous JavaScript commands from the text that gets sent in chat messages. Skype for Macs recently succumbed to a similar XSS, or cross-site scripting, vulnerability that allowed attackers to commandeer a victim's computer simply by viewing a malicious message.

The other lapse making Purviance's attack possible was the decision by iOS developers to make the file storing address-book contents accessible to every app installed, including Skype. That means all that's required to steal a full list of contacts is to find and exploit a vulnerability in a single program installed on a victim's device.

In a Web 2.0 kind of world, contacts for many people aren't exactly closely guarded secrets. For many others – say, attorneys and people who work with survivors of domestic abuse – the names, addresses and phone numbers of contacts are sensitive information.

It's already been 48 hours since this vulnerability was first documented, and the vulnerable app is still available in the iTunes Store. It will be interesting to see how long it takes Apple and Skype to close the gaping hole. ®

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Tor attack nodes RIPPED MASKS off users for 6 MONTHS
Traffic confirmation attack bared users' privates - but to whom?
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Maximize storage efficiency across the enterprise
The HP StoreOnce backup solution offers highly flexible, centrally managed, and highly efficient data protection for any enterprise.