iOS users should watch out next time they decide to take up a conversation via Skype, they could be exposing themselves to a pretty fundamental security hole.
The vulnerability can easily be used to steal content direct from an iOS Skype user during a normal chat log and the victim is none the wiser during the attack. By utilizing the correct JavaScript commands in the attackers username and then sending the victim a message, the script can instruct whatever iOS device is on the receiving end to transfer data back to the attacker.
The attack can only work if the potential victim is using the latest version of Skype for iOS, but providing they are, their address book simply copies to a web server in a single file, easy for download.
The steps that need to be taken to fix the hole involve both Skype and Apple. First off, Skype need to throw out an update, ideally disabling JavaScript in the username field, at least while they re-work more integral stuff to fully fix their end of the problem and secondly the iOS address book is designed in such a way that it leaves contacts and full address book access completely open to any program on the device. Without being able to allow/disallow address book access for certain applications, the attack will remain possible.
We have no idea how long it will take either company to sort the problem but we hope it’s soon. On a side note, the conspiracy theorist within me is wondering whether Microsoft’s acquisition of Skype has anything to do with this, it’s the perfect way into the iOS platform for them, but hey, it’s just me who thought that, right?
Comments
Rules for posting