Tuesday, September 27, 2011

Skype for iPhone may leak Address Book

A vulnerability could see your entire Address Book uploaded to a remote system

A cross-site scripting vulnerability in Skype for iOS has been used to remotely extract the victim device's Address Book. In the proof of concept (PoC) described on the Superevr blog, a piece of JavaScript is inserted in the Full Name field of the attacker's profile.

When a message is received by the victim, the JavaScript runs and initiates a connection to a server, which sends the real payload. That payload instructs the device to upload the entire Address Book file, which can then be read using SQLite-based programs.

The author of the PoC says there's no indication on the device that anything untoward is happening. The issue is said to affect Skype 3.0.1 and earlier, and the PoC was demonstrated on iOS 4.3.5.

The author of the PoC says he reported the issue to Skype in late August, and was told an update would be released early this month. He made a public disclosure this week after the update did not materialise.

The only current mitigations appear to be to ensure that Skype is set to accept messages only from existing contacts, and to be careful to only accept contact requests from people you trust.

No comments: