iOS Skype bug may allow data theft

A cross-site scripting vulnerability threatens users of Apple's iOS devices running Skype 3.0.1 and earlier, a security researcher warned. Phil Purviance, a researcher for AppSec Consulting security, said the vulnerability is in the "Chat Message" window in Skype for iPhone and iPod Touch. "Executing arbitrary Javascript code is one thing, but I found that Skype also improperly defines the URI scheme used by the built-in webkit browser for Skype. Usually you will see the scheme set to something like, 'about:blank' or 'skype-randomtoken,' but in this case it is actually set to 'file://.' This gives an attacker access to the users file system, and an attacker can access any file that the application itself would be able to access," he said. He noted Skype uses a locally stored HTML file to display chat messages from other Skype users, but it fails to properly encode the incoming users "Full Name." This would allow an attacker to craft malicious JavaScript code that runs when the victim views the message. Purviance said that while Apple implements an application sandbox that limits access to sensitive files, every iOS application including Skype has access to the users AddressBook. In his proof of concept injection, he said an attack shows a user's Address Book can indeed be stolen from an iPhone or iPod touch with this vulnerability. For its part, Skype said it is "aware" of the security issue. “We are working hard to fix this reported issue in our next planned release which we hope to roll out imminently. In the meantime we always recommend people exercise caution in only accepting friend requests from people they know and practice common sense internet security as always," TechCrunch quoted Skype as saying. TechCrunch added Purviance had said he reported the XSS vulnerability to Skype nearly a month ago. — TJD, GMA News