Skype cross-zone scripting vulnerability leads to remote code execution

Written by DP

Friday, 18 January 2008

Update 20/01/2008:
Read more detailed information on Skype's security blog about the steps that have been taken to neutralize the issue before actual attackers take advantage of it.

Miroslav Lučinskij of Lithuanian Critical Security team, has shared on full disclosure the details of a new XSS which affects one of the features of Skype. Furthermore, this feature allows the user to add a video into his mood status. Miroslav pointed out that "video selection is done through Skype partners and is based on regular WEB functionality". He wrote that "it is possible to inject a script to the "Add video to chat" dialog via the Title field of the DailyMotion movie information". Later on that day, security researcher Aviv Raff replied that this is actually a cross-zone scripting vulnerability (XZS) and included on his blog more information about the issue along with a proof-of-concept video demonstration:

Basically what malicious people can achieve with this vuln, is to upload a movie with a popular keyword and own users that will search the video through Skype:

The Dailymotion script insertion vulnerability currently works and is mirrored here:

It appears that Skype has removed Dailymotion from the feature.


Home | News | Articles | Advisories | Submit | Alerts | Links | What is XSS | About | Contact | Some Rights Reserved.