Friday, July 29, 2011

Skype update enables account theft - Update



Skype Logo
The recent update to Skype 5.5 for Windows contains a severe security vulnerability that allows attackers to get control of your Skype account, according to security expert David Vieira-Kurz. The update promises close integration with Facebook – for instance, you are to be able to track your Facebook friends' activities from your Skype client and even post wall messages from there. But it turns out that the process entails a real security risk, because the client executes JavaScript code in Facebook status messages without filtering.

Skype executes JavaScript code in Facebook comments without filtering Zoom
In this way, an attackers can capture a Skype user's cookie, and hence that user's Skype session. The H's associates at heise Security were able to reproduce the problem. The perpetrator does not even need to be Facebook friends with the victim for the attack to succeed because JavaScript code is also executed on fan sites, where everyone generally has write access. Just two weeks ago, a similar cross-site scripting attack made Skype vulnerable, but that hole has since been closed.
Update - Skype has confirmed it is working on a fix for the problem. However, the vulnerability was not introduced in the update to 5.5. The flaw is not only in the current version, 5.5, but is also in version 5.3 which also contained the faulty Facebook integration.
via The H

Jason Kiwaluk

Mower & Shoveller,

Ecommerce | Adtech | Innovation | Strategy

Featured Post

The Challenge of Securing Data in our IoT Future

Since 2008, the number of people connecting to the Internet has been outpaced by the number of objects. With the growth of devic...

quote

I'm losing my edge to better-looking people with better ideas and more talent. And they're actually really, really nice.


"Ability has nothing to do with opportunity."
Napoleon Bonaparte

assistant manager of my life

日本語もできる。