Skype for iOS has major security hole, may put your address book at risk


Screenshot by Joe Aimonetti

A new security hole found in Skype for iOS could allow a hacker to access your entire address book, according to a blog post from security firm SuperEVR.

According to the post, “[a] Cross-Site Scripting vulnerability exists in the ‘Chat Message’ window in Skype 3.0.1 and earlier versions for iPhone and iPod Touch devices.” So, what does this mean? Basically it means that when Skype users view a message, a hacker could have a JavaScript code that runs a check on a locally stored HTML file that is currently not encoded properly, revealing the user’s Full Name data field. That is where the vulnerability is, but that’s not the scary part.

“I found that Skype also improperly defines the URI scheme used by the built-in webkit browser for Skype. This gives an attacker access to the users file system, and an attacker can access any file that the application itself would be able to access.”

That’s the scary part. Anything Skype can do with your iPhone, a hacker with the right chops could also do. Don’t worry, though, it’s not all bad. Apple’s app sandbox design in iOS will prevent the most sensitive information from being accessed, but as the poster noted, Skype, like every iOS app, has access to the user’s address book. In the proof-of-concept video below, he shows how the address book data can be stolen by exploiting this vulnerability.

TechCrunch has noted that Skype is aware of the issue and working furiously to release an update that closes the hole.

Should the burden of user security be placed more on Apple’s iOS or the app developers? Let me know your thoughts in the comments!

Check Also

8 New Google Products We Expect to See This Year

Google’s device line could end up having a particularly important moment in 2023. The company usually announces new Pixel products throughout the year. Google is expected to release its first foldable phone this year, however, which would directly compete with Samsung’s proven line of Galaxy Z Fold devices. Google also introduced its own ChatGPT rival, …

Leave a Reply