Skype iOS app XSS hole grants access to AddressBook, sensitive data

XSS vulnerability in Skype for the iOS may allow access to a user’s files including the iOS AddressBook, according to a security researcher.

A cross-site scripting vulnerability has been reported in the Skype application for iOS devices like iPod Touch and iPhones. According to security researcher Phil Purviance of AppSec, the vulnerability exists in the Chat message window of the Skype app. It may give an attacker access to the user’s address book and other sensitive data.

According to Purviance’s blog-post, Skype uses a local HTML file to display chat messages from people on the user’s Skype list. However, the Skype app fails to properly encode the incoming users’ full names. This can be exploited by attackers using a specially crafted Javascript code, which executes when users view the message.

The researcher writes that in addition to allowing execution of arbitrary Javascript, the URL scheme in Skype’s built-in WebKit browser is also defined improperly. It may give an attacker access to the user’s local file system, and any other files that the Skype app may have access to.

While the file-system threat is partially mitigated by iOS’ application sandboxing, sensitive data like the AddressBook that every iOS application has access to, can be accessed by exploiting this flaw. The flaw affects Skype app versions 3.0.1 and earlier for the iOS.

Puviance writes that he informed Skype about this vulnerability last month, and expects that Skype will release a patch as part of its next planned update. The researcher has also posted a proof-of-concept video demonstrating the veracity of this exploit.

Read more on Data breach incident management and recovery