Simple Skype Flaw Enables Account Hijacking
German IT security expert Levent Kayan discovered a simple, but particularly nasty vulnerability in Skype that enables an attacker gain access to session IDs and user account data, including passwords.
To exploit the cross-site scripting bug, an attacker needs to enter a command string in the "mobile phone" field of a targeted user.
Skype confirmed the problem, but considers it to be a "minor issue", while the researcher categorizes the threat level as "high". Kayan said that other input fields that lack input validation as well may also be affected by the vulnerability. In a response to Forbes, Skype spokesperson Chaim Haas said that the problem only affects "top contacts" as they need access to this particular field. “As you can imagine, someone who you deal with frequently is probably unlikely to take advantage of this bug anyway,” Haas said.
Kayan noted that there is no sign that the bug is already being exploited by attackers. All Skype versions to versions 5.3.0.120 as well as Windows XP, Vista and 7 and Mac OS X are affected.
- 16 Suspected Anonymous Hackers Arrested
- Laptop Concept Feels Like a Real Notebook
- Ultra Slim Swiss Army USB Tool Has No Knife
- AAA Now Offers Mobile Charging For EVs
- When Google Does Not Make Sense
- PlayBook Executive Leaves RIM for Samsung
- The Motorola Droid 3 Gets Torn Apart
- Samsung to Unveil Cute-as-a-button 5-inch Tablet
- William Shatner Temporarily Kicked Off Google+
- DIY Daft Punk Helmet Cost Over $700 to Make
- Aluminum-Celmet May Boost EV Ranges 200%
- Solar Electric Boat Offers Eco-Friendly Cruising
- Apple Discontinues the $999 White MacBook
- Anxiety Suit Assesses Risks, Manipulates Emotion
- Fake Apple Store that Even the Staff Think is Real
- Nokia Reports Net Loss of $522 Million
- Bill Gates Wants to Reinvent the Toilet
- A 34-Year Trek Ends: NASA Parks the Shuttle
- Anonymous Teases NATO Hack, Challenges FBI
Right. This is a "minor" issue.
It seems like some sort of vulnerability is being reported almost every day. It is beginning to sound as if it is business as usual.
Right. This is a "minor" issue.
Um it is... if you have to worry about your top contacts hacking your computer then you have more issues then a Skype bug.
it's a minor issue because there is no fix for it yet. when it's fixed then it becomes a major issue.
Um it is... if you have to worry about your top contacts hacking your computer then you have more issues then a Skype bug.
Unless a script ran on any infected computer can automatically infect all your top contacts then all that person's top contacts. It sounds to me like it relies on trust of a source that can't be verified as clean, which is a legitimate security threat. I assume it'll get fixed within a week now that it's public though.