Researcher Finds Dangerous Vulnerability In Skype

alphadogg writes "A security consultant has notified Skype of a cross-site scripting flaw that could be used to change the password on someone's account, according to details posted online. The consultant, Levent Kayan, based in Berlin, posted details of the flaw on his blog on Wednesday and notified Skype a day later. He said on Friday he hasn't heard a response yet. The problem lies in a field where a person can input their mobile phone number. Kayan wrote that a malicious user can insert JavaScript into the mobile phone field of their profile." Skype has confirmed the flaw, but calls it 'minor,' saying it only affects people who communicate with a potential attacker on a regular basis. A fix is planned for next week.

Typical XSS response

[funnyguy]

I love how companies always downplay XSS. They figure it can only be used in the way shown and assume there is no other way to weaponize a vulnerability other than as presented.

Re:

[ircmaxell]

Exactly. Especially since almost any XSS vulnerability automatically becomes a CSRF vulnerability.

If I can inject JS into your browser, I can do anything that you can do on that site...

spin baby, spin

[sqlrob]

calls it 'minor,' saying it only affects people who communicate with a potential attacker on a regular basis.

Like say, a skilled phisher / social engineer?

Re:

[Riceballsan]

Yeah it's a minor flaw, you are perfectly safe as long as you don't talk with people. I mean who skypes with someone without getting a long detailed background check and ensuring that they don't currently and won't ever have anything against you.

Re:

[HappyPsycho]

U mean like a jealous / paranoid spouse?

Re:

[Caesar Tjalbo]

calls it 'minor,' saying it only affects people who communicate with a potential attacker on a regular basis.

Like say, a skilled phisher / social engineer?

Well the guy who found the flaw is still wondering why they haven't contacted him.

Re:

[ArhcAngel]

Rats...I was too slow.

Dangerous

[Normal Dan]

Just how dangerous is this flaw? Are we talking about holing an antenna during a thunderstorm dangerous, or giving my kid a loaded gun as a toy dangerous, or what?

Just curious is all.

'tis but a flesh wound

[cultiv8]

Skype has confirmed the flaw, but calls it 'minor,' saying it only affects people who communicate with a potential attacker on a regular basis.

Phew, good news. This is the same security model I use on my web server, I think Sony does too, thankfully there ain't no haxxors visiting my sites!

Skype doesn't care

[jtara]

Skype doesn't care. But maybe their new robot overlo.... er, Microsoft will.

A friend of mine started harassing me with text messages after he "found" an iPhone on the floor of a bar (no, seriously! no, not a prototype...) and I wouldn't help him reset it. (Actually I did - I said "Google it, it's easy".

I had to add a blocking service from ATT, but then he switched to bombing me SMS messages from Skype. So, I attempted to contact Skype to get it stopped. Ever try to contact Skype? Like, a live person on the phone? I never managed to figure that out, but at least I did manage to get some clueless person at Skype to email me.

It turns out there is a standard for stopping unwanted SMS messages from 5-digit codes. (The messages came from Skype's 5-digit code). You text back STOP and they are supposed to stop sending you SMSs. Guess what? Skype doesn't bother.

I went around and around with the clueless rep over email, and they basically told me "we can't do this, contact your carrier". I tried to explain that I'd already talked to a rep from the carrier, and they told it was Skype's responsibility to do this. I tried to tell them that their "STOP" system was broken/nonexistent. They just never "got it".

Catch-22.

Re:

[jtara]

Oh, yea, even figuring out how to contact Skype by email is a hassle. They have a web form for this. Only problem is, you have to be a Skype customer. Why, nobody who isn't a Skype customer would ever need to contact Skype, right?

Catch-22.

Aside: pretty dismayed over how hard big companies try to hide from consumers these days.

Re:

[pe1chl]

This is quite common today. Many social media websites offer no way to contact their support department for people who do not have an account themselves.
When I want to contact linkedin, facebook, twitter, hyves or whatever to ask them to stop sending mail to some address, to remove a customer who has deceased, or whatever, the first thing they ask for is my username and password.
But I don't have and don't want accounts on sites like that. I only want to report events in a role as a system administrator.
No

Re:

[gomiam]

STOP

Sorry, couldn't help the pun ;)

Re:

[trum4n]

Break his iPhone. If he calls the cops, tell them its stolen anyway.

Re:

[Anonymous Coward]

Are you an idiot? His ex-buddy is SMSing him the same way he can SMS any phone through Skype: by typing in the phone number and clicking send! No "giving Skype your main phone number" involved.

Re:

[mcmonkey]

Sounds the issue is your choice of "friends", not any technical issue with skype or SMS.

Re:

[Threni]

Skype should care, given they're about to see their market share disappear down the toilet once people discover that rather than the two inherently unreliable (given their track record) companies Microsoft and Facebook, they can instead use Google+.

Re:

[laurelraven]

From what I understand, that was the storage set aside for notifications...and this is Google, they have an ungodly amount of storage space they could call upon, and now know to watch for that. That's why it's in beta, so they can find and fix these problems before going "live" (or, as Google calls it, "Open beta").

Re:

[Bengie]

My wife's sister was doing something similar once. Quick call from the police stopped that.

Dont worry. Skype has been bought by Microsoft

[unity100]

They can now say 'its not a bug, its a feature', and get it over with.

Re:

[AndrewNeo]

So when did the federal approval go through?

Re:

[bkaul01]

So when did the federal approval go through?

About a month ago: Microsoft gets antitrust approval to buy Skype [reuters.com]

What do you expect?

[MaxBooger]

Bah! What do you expect to happen? It's crappy Microsoft software, of course it has security vulnerabilities.
.
.
.
.
.
Waiting for the wooshes...

You don't need to worry about it

[sl4shd0rk]

Because we said so.

Re:

[laurelraven]

This is like a steel plate a mile wide, which has a hole in it that's a half inch wide covered in matching tin foil.

So, all an attacker has to do is use the Force?

Asshole

[alexo]

The consultant, Levent Kayan, based in Berlin, posted details of the flaw on his blog on Wednesday and notified Skype a day later.

Asshole.

Phew

[Opportunist]

Got me worried for a moment. But it says it right there, all I have to do is ask my Skype partner whether he is a hacker and cease contact if he answers in the positive.

Dear Skype security "experts": Whether someone is communicating with a "potential attacker" is something they learn usually a few seconds after an attack. If at all.