EvilZone

Hacking and Security => Hacking and Security => : Stackprotector July 15, 2011, 04:38:36 PM

: Major xss leak in Skype.
: Stackprotector July 15, 2011, 04:38:36 PM

Heads up people!, a major xss leak in skype has been found.
 information and poc video :

http://www.noptrix.net/tmp/skype_win7.avi (http://www.noptrix.net/tmp/skype_win7.avi)

:

-----------------------------------------------------------------------------
|                   noptrix.net - Public Security Advisory                    |
 -----------------------------------------------------------------------------


Date:
-----
07/13/2011

Vendor:
-------
Skype Limited - http://www.skype.com/

Affected Software:
------------------
Software: Skype
Version: <= 5.3.0.120

Affected Platforms:
-------------------
Windows (XP, Vista, 7)
Mac OS X <= 10.6.8

Vulnerability Class:
--------------------
Cross-Site Scripting

Description:
------------
Skype suffers from a persistent Cross-Site Scripting vulnerability due to a lack
of input validation and output sanitization of the "mobile phone" profile entry.
Other input fields may also be affected.

Proof of Concept:
-----------------
The following Javascript payload can be used as "mobile phone" entry to trigger
the described vulnerability:

--- SNIP ---

"><iframe src='' onload=alert('mphone')>

--- SNIP ---

For a PoC demonstration see:
    - http://www.noptrix.net/tmp/skype_xss.png
    - http://www.noptrix.net/tmp/skype_linux.ogv
    - http://www.noptrix.net/tmp/skype_winxp.ogv
    - http://www.noptrix.net/tmp/skype_win7.avi

Impact:
-------
An attacker could trivially hijack session IDs of remote users and leverage the
vulnerability to increase the attack vector to the underlying software and
operating system of the victim.

Threat Level:
-------------
High!

Solution:
---------
skype.com has to validate the input characters and sanitize the output.

Vendor Contact:
---------------
The vendor will be contacted. 13th or 14th of July 2011.



: Re: Major xss leak in Skype.
: Dropchop July 15, 2011, 07:13:14 PM

Lol@facebook.

: Re: Major xss leak in Skype.
: Kulverstukas July 15, 2011, 11:48:49 PM

LOL@Microsoft...
One more proof that everything MicroShaft makes - fails.
Skype was such a good software, until MS made it SHIT.

: Re: Major xss leak in Skype.
: FuyuKitsune July 16, 2011, 05:14:21 AM

Wow, that vuln is for the current release.

: Kulverstukas  July 15, 2011, 11:48:49 PM

LOL@Microsoft...
One more proof that everything MicroShaft makes - fails.
Skype was such a good software, until MS made it SHIT.

I was thinking perhaps the vuln existed before the merger and it was just found but nope, it only happened after MS took over. First release since the buy and already a load of fail.

: Re: Major xss leak in Skype.
: iMorg July 16, 2011, 07:07:32 AM

: Kulverstukas  July 15, 2011, 11:48:49 PM

LOL@Microsoft...
One more proof that everything MicroShaft makes - fails.
Skype was such a good software, until MS made it SHIT.

You do know it is still the same programmers working on it, right? Skype is just now a division of microsoft and not a individual corporation anymore.