Skype.com SSL powered support page vulnerable to XSS
Written by DP
Sunday, 23 May 2010
Independent security researcher nicknamed "Xylitol
" found a critical cross-site scripting (XSS) vulnerability affecting the SSL powered support page on Skype.com
. Malicious users can exploit this issue to infect Skype users with malware, adware and spyware.
Certain input fields are not properly filtered to protect against script injections and would therefore allow potentially malicious scripts to be executed on users' browsers.
One scenario would be to conduct phishing attacks against millions of Skype users, aiming to steal their login credentials in order to make use of their call credits. This can be performed with a simple iframe tag injection. Unwitting Skype users would trust their privacy and security immediately after they read "https://www.skype.com" on their browser's address bar... Botnet herders and spyware distributors are also able to entice unwitting users into downloading an important but fake Skype update.
Skype has been XSSed in the past (All fixed now):
Related News on XSSed.com: