Are you a frequent Skype user? Levent Kayan, a Berlin-based security consultant, discovered a critical flaw with Skype that allows malicious scripting to be used in the program which has the potential to allow attackers the ability to take over other user’s accounts. The flaw was uncovered and a notification was given to Skype one day after it was posted to the consultant’s blog.
Once the malicious script is in place, anyone in their contacts list is vulnerable as soon as they log in to their account. By logging in, your contacts’ profiles are updated, including their phone number information.
There are a few reasons not to be completely paranoid about this situation. First, the attacker must be on your contacts list. Unlike a software virus, this script doesn’t spread automatically unless the attacker inserts the script to each account he successfully takes over individually. There is also no guarantee that the script will work, especially on mobile or third-party clients. In fact, it currently only affects Skype client 220.127.116.11 for Windows and OS X.
Vulnerabilities like these are the result of small flaws in software design that are often easily overlooked by developers as they work to resolve other issues through updates. While it would be nice to think that most software is rock solid and invulnerable, that really isn’t the case. Operating systems especially have frequent updates to resolve ongoing security issues as they are discovered. In cases like this, it’s safe to assume that Skype will be coming out with a new version of its software once this vulnerability is patched. This only stresses the importance of keeping your software (especially if it interacts with a service over the Internet) updated to the latest version.