A new security hole found in Skype for iOS could allow a hacker to access your entire address book, according to a blog post from security firm SuperEVR.
According to the post, “[a] Cross-Site Scripting vulnerability exists in the ‘Chat Message’ window in Skype 3.0.1 and earlier versions for iPhone and iPod Touch devices.” So, what does this mean? Basically it means that when Skype users view a message, a hacker could have a JavaScript code that runs a check on a locally stored HTML file that is currently not encoded properly, revealing the user’s Full Name data field. That is where the vulnerability is, but that’s not the scary part.
“I found that Skype also improperly defines the URI scheme used by the built-in webkit browser for Skype. This gives an attacker access to the users file system, and an attacker can access any file that the application itself would be able to access.”
That’s the scary part. Anything Skype can do with your iPhone, a hacker with the right chops could also do. Don’t worry, though, it’s not all bad. Apple’s app sandbox design in iOS will prevent the most sensitive information from being accessed, but as the poster noted, Skype, like every iOS app, has access to the user’s address book. In the proof-of-concept video below, he shows how the address book data can be stolen by exploiting this vulnerability.
TechCrunch has noted that Skype is aware of the issue and working furiously to release an update that closes the hole.
Should the burden of user security be placed more on Apple’s iOS or the app developers? Let me know your thoughts in the comments!