News from the SUPEREVR security blog is that Skype for iOS is vulnerable to a cross-site scripting (XSS) attack that allows an attacker to send someone a message and, for instance, capture that user’s address book from their iPhone.
The author of the article posted a video that demonstrates the attack:
He further states in a tweet that he notified Skype of the vulnerability on August 24th:
In case anyone is wondering, I disclosed the vulnerability to Skype on 8/24. I was told an update would be released early this month.
Skype has issued a statement through their PR firm:
We are working hard to fix this reported issue in our next planned release which we hope to roll out imminently. In the meantime, we always recommend people exercise caution in only accepting friend requests from people they know and practice common sense Internet security as always.
Skype’s mitigation recommendation is a good one as the default privacy setting is typically that you can only receive chat messages from people on your Contact list. Therefore, the attacker would have to be someone who you have authorized and added to your contact list.
Meanwhile, hopefully Skype will be out with their update soon.
P.S. Hat tip to Tom Keating for writing about this exploit as that was where I first learned of it.