Advertisements

 Skype.com SSL powered support page vulnerable to XSS

Written by DP

Sunday, 23 May 2010

Follow xssedcom on Twitter
Independent security researcher nicknamed "Xylitol" found a critical cross-site scripting (XSS) vulnerability affecting the SSL powered support page on Skype.com. Malicious users can exploit this issue to infect Skype users with malware, adware and spyware. 
 
Skype.com XSS:
 
Certain input fields are not properly filtered to protect against script injections and would therefore allow potentially malicious scripts to be executed on users' browsers.
 
One scenario would be to conduct phishing attacks against millions of Skype users, aiming to steal their login credentials in order to make use of their call credits. This can be performed with a simple iframe tag injection. Unwitting Skype users would trust their privacy and security immediately after they read "https://www.skype.com" on their browser's address bar... Botnet herders and spyware distributors are also able to entice unwitting users into downloading an important but fake Skype update.
 
Screenshot #1:
 
 
Screenshot #2:
 
 
Skype has been XSSed in the past (All fixed now):
jobs.skype.com XSS vulnerability notified by THE_MILLER
www.skype.com XSS vulnerability notified by x2Fusion
www.skype.com XSS vulnerability notified by x2Fusion
accessories.skype.com XSS vulnerability notified by Sid
 
Related News on XSSed.com:


        
Advertisements
Home | News | Articles | Advisories | Submit | Alerts | Links | What is XSS | About | Contact | Some Rights Reserved.