Skype.com SSL powered support page vulnerable to XSS

Independent security researcher nicknamed "Xylitol" found a critical cross-site scripting (XSS) vulnerability affecting the SSL powered support page on Skype.com. Malicious users can exploit this issue to infect Skype users with malware, adware and spyware. 

 

 

Certain input fields are not properly filtered to protect against script injections and would therefore allow potentially malicious scripts to be executed on users' browsers.

 

One scenario would be to conduct phishing attacks against millions of Skype users, aiming to steal their login credentials in order to make use of their call credits. This can be performed with a simple iframe tag injection. Unwitting Skype users would trust their privacy and security immediately after they read "https://www.skype.com" on their browser's address bar... Botnet herders and spyware distributors are also able to entice unwitting users into downloading an important but fake Skype update.

 

 

 

 

 

Skype has been XSSed in the past (All fixed now):

jobs.skype.com XSS vulnerability notified by THE_MILLER
www.skype.com XSS vulnerability notified by x2Fusion
www.skype.com XSS vulnerability notified by x2Fusion
accessories.skype.com XSS vulnerability notified by Sid

 

Skype cross-zone scripting vulnerability leads to remote code execution - 18 Jan 2008 by DP (Vulnerability discovered by Aviv Raff)