More Holes in Skype

Thursday, December 6, 2012 @ 07:12 PM gHale


After finding a critical security hole that allowed cybercriminals to change the password of any Skype account, there are more vulnerabilities in the program.

Two of them are mail encoding web vulnerabilities that affect the Skype Community, said researchers at Vulnerability Labs.

RELATED STORIES
Skype a Malware Attack Vector
Malware with Terms of Service Pact
Simple Works for Malware Writers
LinkedIn Emails lead to BlackHole

The first – a high-severity persistent input validation vulnerability bug – can allow a remote attacker to inject arbitrary code on the application-side of the Skype Community website.

“The vulnerability is located in the filter function of the username when Skype community is processing to send a not parsed update mail. Remote attacker with low privileged application user accounts can change the username values to malicious persistent script code via POST,” said the advisory provided by Vulnerability Lab.

“The result is a persistent script code inject via noreply@skype.net. Successful exploitation of the vulnerability results in persistent phishing attacks, persistent session hijacking or mail context manipulation via persistent inject.”

The second web problem identified by the researchers is a filter and mail encoding vulnerability that affects the same Skype Community website.

The security hole affects the outgoing email service and can execute persistent code against forum customers, administrators and moderators.

“The vulnerability is located in the not sanitized message body and title parameters when processing to load the bound vulnerable Problem Reporter or Send to Friends module,” the experts said.

“The script code gets executed out of the message itself inside of the main mail template.”

The third flaw refers to a persistent software vulnerability that affects the Windows version of Skype v5.11.0.102. A remote attacker could exploit this problem to manipulate configuration app login index files.

This allows cybercriminals to persistently execute malicious code in the main software’s context via the Skype API.

A fix for this high-severity issue can occur by disallowing bound requests out of the software’s context.

Skype addressed the mail encoding web vulnerabilities, but according to the researchers the persistent software issue was still a problem.



Leave a Reply

You must be logged in to post a comment.