New threat via Skype

A highly alerting vulnerability in Skype has been exposed by Levant Keyan who managed to manipulate the popular VoIP service via Cross Site Scripting. He used the mobile phone entry in his contact profile as an example to insert JavaScript code which then wasn’t validated properly by the software. As a result an attacker could use this to hijack information of remote users, i.e. send the session cookie to the attacker.

As of now Skype hasn’t offered a fix yet.

This should be just another reminder for every developer to hold on to proper code revision and quality assurance. Validating fields for malicious content is mandatory especially when you’re providing any kind of web-based service.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s