Skype iPhone, iPod Touch app has security hole

The vulnerability, located in the app's chat message window, can be used to steal a person's address book.

By Eric Mack, PC World |  Unified Communications, iPhone, iPhone apps

Skype is working to fix a security hole in its iOS app for the iPhone and iPod Touch that allows a hacker to steal a person's entire address book. The vulnerability, located in the app's chat message window, can be exploited with JavaScript code. It was pointed out by security researcher Phil Purviance of AppSec.

"Skype uses a locally stored HTML file to display chat messages from other Skype users, but it fails to properly encode the incoming user's 'Full Name,' allowing an attacker to craft malicious JavaScript code that runs when the victim views the message," Purviance wrote on his blog.

The heart of the problem, according to Purviance, is an improper definition within the Skype app that allows access to a user's local file system. He says the threat is partially mitigated by protections within iOS itself, but the address book remains vulnerable.

Skype appears to be in no hurry to fix the problem. In a tweet, Purviance said he notified Skype of the vulnerability on August 24, and was told that an update addressing the issue would be released in early September.

A statement from Skype confirms that the company is aware of the issue and will fix it "in our next planned release, which we hope to roll out imminently."

You can watch a demonstration of exactly how the exploit works in this video, created by Purviance:

Follow Eric on Twitter and at ericmack.org. Follow PCWorld on Twitter, too.


Originally published on PC World |  Click here to read the original story.
Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Unified CommunicationsWhite Papers & Webcasts

See more White Papers | Webcasts

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question