In this Null Byte, I'm going to show you how the exploit works, and what you can do to prevent it!
- Only perform this on yourself, or users who give you their explicit permission.
Step 1 Making Your XSS Test Page
- Open a Text editor like "notepad" or your favorite IDE.
- The contents of the file should look like the following:
alert("XSS on Skype? WTFBBQ!");
<body onLoad="show_alert()" />
- Click File > Save as... Click "any type" for file type. Save the file to your Desktop as "index.html".
- Upload the file to a free webhost of your choice - I recommend 000webhost.
Step 2 Crafting Your XSS Message
- Open Skype on your computer.
- Open up your settings and edit your "Name" parameter.
- Enter the following as the "Name" contents:
- Select a target that is on Skype and send them a message.
When your target receives the message, Skype will execute the XSS attack, calling the commands contained inside your remote web page. Dangerous. Below, is that the test may look like.
The short answer is, no.
The only way an iPhone Skype user can protect themselves is to simply not use the app until this is patched. You could block everyone who is not on your contacts list, but you have to trust the friends you do have to not try this on you.
Skype claims that they will have this patched in the next release. From experience, I'm going to say that that it probably won't happen soon. The last exploit like this lead to days upon days of non-stop alert flooding to all of my Skype contacts. ;)
I hope this was an informative Null Byte. Comment below, or start a thread in the forum.