Skype update enables account theft - Update

Skype Logo
The recent update to Skype 5.5 for Windows contains a severe security vulnerability that allows attackers to get control of your Skype account, according to security expert David Vieira-Kurz. The update promises close integration with Facebook – for instance, you are to be able to track your Facebook friends' activities from your Skype client and even post wall messages from there. But it turns out that the process entails a real security risk, because the client executes JavaScript code in Facebook status messages without filtering.

Skype executes JavaScript code in Facebook comments without filtering Zoom
In this way, an attackers can capture a Skype user's cookie, and hence that user's Skype session. The H's associates at heise Security were able to reproduce the problem. The perpetrator does not even need to be Facebook friends with the victim for the attack to succeed because JavaScript code is also executed on fan sites, where everyone generally has write access. Just two weeks ago, a similar cross-site scripting attack made Skype vulnerable, but that hole has since been closed.
Update - Skype has confirmed it is working on a fix for the problem. However, the vulnerability was not introduced in the update to 5.5. The flaw is not only in the current version, 5.5, but is also in version 5.3 which also contained the faulty Facebook integration.
via The H

No comments: