Skype Vulnerability Surfaces

Are you a frequent Skype user? Levent Kayan, a Berlin-based security consultant, discovered a critical flaw with Skype that allows malicious scripting to be used in the program which has the potential to allow attackers the ability to take over other user’s accounts. The flaw was uncovered and a notification was given to Skype one day after it was posted to the consultant’s blog.

The vulnerability exists in the phone number field available in user profiles where you can enter your number to allow your contacts to reach you offline. Unfortunately, this field is not set up to require pure number inputs. This makes it possible for malicious users to insert JavaScript that takes advantage of the vulnerability.

Once the malicious script is in place, anyone in their contacts list is vulnerable as soon as they log in to their account. By logging in, your contacts’ profiles are updated, including their phone number information.

There are a few reasons not to be completely paranoid about this situation. First, the attacker must be on your contacts list. Unlike a software virus, this script doesn’t spread automatically unless the attacker inserts the script to each account he successfully takes over individually. There is also no guarantee that the script will work, especially on mobile or third-party clients. In fact, it currently only affects Skype client 5.3.0.120 for Windows and OS X.

Vulnerabilities like these are the result of small flaws in software design that are often easily overlooked by developers as they work to resolve other issues through updates. While it would be nice to think that most software is rock solid and invulnerable, that really isn’t the case. Operating systems especially have frequent updates to resolve ongoing security issues as they are discovered. In cases like this, it’s safe to assume that Skype will be coming out with a new version of its software once this vulnerability is patched. This only stresses the importance of keeping your software (especially if it interacts with a service over the Internet) updated to the latest version.

Article Written by

Ryan Matthew Pierson has worked as a broadcaster, writer, and producer for media outlets ranging from local radio stations to internationally syndicated programs. His experience includes every aspect of media production. He has over a decade of experience in terrestrial radio, Internet multimedia, and commercial video production.

  • Anonymous

    And they just teamed up with Facebook. What a surprising timing for this news.

  • http://twitter.com/sobercool Eric Toribio

    And they just teamed up with Facebook. What a surprising timing for this news.

  • sobercool

    And they just teamed up with Facebook. What a surprising timing for this news.