Advertisements SSL powered support page vulnerable to XSS

Written by DP

Sunday, 23 May 2010

Follow xssedcom on Twitter
Independent security researcher nicknamed "Xylitol" found a critical cross-site scripting (XSS) vulnerability affecting the SSL powered support page on Malicious users can exploit this issue to infect Skype users with malware, adware and spyware. XSS:
Certain input fields are not properly filtered to protect against script injections and would therefore allow potentially malicious scripts to be executed on users' browsers.
One scenario would be to conduct phishing attacks against millions of Skype users, aiming to steal their login credentials in order to make use of their call credits. This can be performed with a simple iframe tag injection. Unwitting Skype users would trust their privacy and security immediately after they read "" on their browser's address bar... Botnet herders and spyware distributors are also able to entice unwitting users into downloading an important but fake Skype update.
Screenshot #1:
Screenshot #2:
Skype has been XSSed in the past (All fixed now): XSS vulnerability notified by THE_MILLER XSS vulnerability notified by x2Fusion XSS vulnerability notified by x2Fusion XSS vulnerability notified by Sid
Related News on

Home | News | Articles | Advisories | Submit | Alerts | Links | What is XSS | About | Contact | Some Rights Reserved.