Researcher Finds Dangerous Vulnerability In Skype

← Back to Stories (view on slashdot.org)

Researcher Finds Dangerous Vulnerability In Skype

Posted by Soulskill on Friday July 15, 2011 @07:33AM from the so-we-blame-microsoft-right dept.

alphadogg writes "A security consultant has notified Skype of a cross-site scripting flaw that could be used to change the password on someone's account, according to details posted online. The consultant, Levent Kayan, based in Berlin, posted details of the flaw on his blog on Wednesday and notified Skype a day later. He said on Friday he hasn't heard a response yet. The problem lies in a field where a person can input their mobile phone number. Kayan wrote that a malicious user can insert JavaScript into the mobile phone field of their profile." Skype has confirmed the flaw, but calls it 'minor,' saying it only affects people who communicate with a potential attacker on a regular basis. A fix is planned for next week.

42 comments

Min score:

Reason:

Sort:

Yikes.... by dotpotot1 · 2011-07-15 07:40 · Score: -1, Troll

As written in original paper it appears that any user you talked with can reset your password....
Typical XSS response by funnyguy · 2011-07-15 07:40 · Score: 1

I love how companies always downplay XSS. They figure it can only be used in the way shown and assume there is no other way to weaponize a vulnerability other than as presented.
1. Re:Typical XSS response by ircmaxell · 2011-07-15 08:36 · Score: 1
  
  Exactly. Especially since almost any XSS vulnerability automatically becomes a CSRF vulnerability.
  
  If I can inject JS into your browser, I can do anything that you can do on that site...
  
  --
  If a man isn't willing to take some risk for his opinions, either his opinions are no good or he's no good
spin baby, spin by sqlrob · 2011-07-15 07:41 · Score: 1

calls it 'minor,' saying it only affects people who communicate with a potential attacker on a regular basis.
Like say, a skilled phisher / social engineer?
1. Re:spin baby, spin by Riceballsan · 2011-07-15 09:07 · Score: 1
  
  Yeah it's a minor flaw, you are perfectly safe as long as you don't talk with people. I mean who skypes with someone without getting a long detailed background check and ensuring that they don't currently and won't ever have anything against you.
2. Re:spin baby, spin by Caesar+Tjalbo · 2011-07-15 09:32 · Score: 1
  
  calls it 'minor,' saying it only affects people who communicate with a potential attacker on a regular basis.
  Like say, a skilled phisher / social engineer?
  Well the guy who found the flaw is still wondering why they haven't contacted him.
  
  --
  "I'm not much interested in interoperability. I want substitutability. I want to be able to throw your software out."
3. Re:spin baby, spin by HappyPsycho · 2011-07-20 04:49 · Score: 1
  
  U mean like a jealous / paranoid spouse?
inb4 microsoft by Anonymous Coward · 2011-07-15 07:44 · Score: 0, Funny

inb4 any comments blaming Microsoft.
1. Re:inb4 microsoft by ArhcAngel · 2011-07-15 08:09 · Score: 1
  
  Rats...I was too slow.
  
  --
  "A person is smart. People are dumb, panicky dangerous animals and you know it." - K
Dangerous by Normal+Dan · 2011-07-15 07:44 · Score: 1

Just how dangerous is this flaw? Are we talking about holing an antenna during a thunderstorm dangerous, or giving my kid a loaded gun as a toy dangerous, or what?

Just curious is all.

--
A unique way to learn a language: http://languageloom.com
1. Re:Dangerous by Anonymous Coward · 2011-07-15 07:54 · Score: 0
  
  Giving a kid your kid plays with access to a loaded gun dangerous. Maybe they'll use it, maybe they won't.
'tis but a flesh wound by cultiv8 · 2011-07-15 07:46 · Score: 1

Skype has confirmed the flaw, but calls it 'minor,' saying it only affects people who communicate with a potential attacker on a regular basis.

Phew, good news. This is the same security model I use on my web server, I think Sony does too, thankfully there ain't no haxxors visiting my sites!

--
sysadmins and parents of newborns get the same amount of sleep.
Skype doesn't care by jtara · 2011-07-15 07:49 · Score: 3, Insightful

Skype doesn't care. But maybe their new robot overlo.... er, Microsoft will.
A friend of mine started harassing me with text messages after he "found" an iPhone on the floor of a bar (no, seriously! no, not a prototype...) and I wouldn't help him reset it. (Actually I did - I said "Google it, it's easy".
I had to add a blocking service from ATT, but then he switched to bombing me SMS messages from Skype. So, I attempted to contact Skype to get it stopped. Ever try to contact Skype? Like, a live person on the phone? I never managed to figure that out, but at least I did manage to get some clueless person at Skype to email me.
It turns out there is a standard for stopping unwanted SMS messages from 5-digit codes. (The messages came from Skype's 5-digit code). You text back STOP and they are supposed to stop sending you SMSs. Guess what? Skype doesn't bother.
I went around and around with the clueless rep over email, and they basically told me "we can't do this, contact your carrier". I tried to explain that I'd already talked to a rep from the carrier, and they told it was Skype's responsibility to do this. I tried to tell them that their "STOP" system was broken/nonexistent. They just never "got it".
Catch-22.
1. Re:Skype doesn't care by jtara · 2011-07-15 07:51 · Score: 2
  
  Oh, yea, even figuring out how to contact Skype by email is a hassle. They have a web form for this. Only problem is, you have to be a Skype customer. Why, nobody who isn't a Skype customer would ever need to contact Skype, right?
  Catch-22.
  Aside: pretty dismayed over how hard big companies try to hide from consumers these days.
2. Re:Skype doesn't care by gomiam · 2011-07-15 07:52 · Score: 1
  
  STOP
  Sorry, couldn't help the pun ;)
3. Re:Skype doesn't care by trum4n · 2011-07-15 07:53 · Score: 1
  
  Break his iPhone. If he calls the cops, tell them its stolen anyway.
4. Re:Skype doesn't care by Anonymous Coward · 2011-07-15 08:01 · Score: 0
  
  That's your fault for giving Skype your main phone number, or whatever it is you did. Skype doesn't have any of my details except my IP, and I guess my OS, and anything they can gleam from listening to my phone calls. I find that Skype is always more expensive than using a real phone (with calling cards etc) anyway.
5. Re:Skype doesn't care by Anonymous Coward · 2011-07-15 08:18 · Score: 1
  
  Are you an idiot? His ex-buddy is SMSing him the same way he can SMS any phone through Skype: by typing in the phone number and clicking send! No "giving Skype your main phone number" involved.
6. Re:Skype doesn't care by mcmonkey · 2011-07-15 08:25 · Score: 2, Insightful
  
  Sounds the issue is your choice of "friends", not any technical issue with skype or SMS.
7. Re:Skype doesn't care by Anonymous Coward · 2011-07-15 08:47 · Score: 0
  
  Just tell him to stop? If he refuses and persists you should probably stay clear of him. Something is probably wrong with him.
  
  FWIW even my dad's USD30 or so Nokia has message screening.
8. Re:Skype doesn't care by Anonymous Coward · 2011-07-15 08:56 · Score: 0
  
  ^^ this.
  I will never understand why people willingly associate with these kinds of imbeciles.
9. Re:Skype doesn't care by Threni · 2011-07-15 09:00 · Score: 1
  
  Skype should care, given they're about to see their market share disappear down the toilet once people discover that rather than the two inherently unreliable (given their track record) companies Microsoft and Facebook, they can instead use Google+.
10. Re:Skype doesn't care by Anonymous Coward · 2011-07-15 09:08 · Score: 0
  
  once people discover that rather than the two inherently unreliable (given their track record) companies Microsoft and Facebook, they can instead use Google+
  ... are you talking about the same Google+ that ran out of storage even though they're currently only processing a tiny 1B shares per day? Yeah... way more solid than Facebook.
11. Re:Skype doesn't care by Bengie · 2011-07-15 09:17 · Score: 1
  
  My wife's sister was doing something similar once. Quick call from the police stopped that.
12. Re:Skype doesn't care by laurelraven · 2011-07-15 12:09 · Score: 1
  
  From what I understand, that was the storage set aside for notifications...and this is Google, they have an ungodly amount of storage space they could call upon, and now know to watch for that. That's why it's in beta, so they can find and fix these problems before going "live" (or, as Google calls it, "Open beta").
  
  --
  RTFA is Known to the State of California to cause cancer.
13. Re:Skype doesn't care by Anonymous Coward · 2011-07-15 12:11 · Score: 0
  
  Weird choice of the word "friend"... Maybe a bloody nose will make him STOP...
  I personally just use a blocker daemon. It works like a firewall for communication. By default, it blocks everything that's not in my phone book. But I can change the rules at will, using groups, blocking and clearing rules,etc.
  I use something similar for my landline/SIP "answering machine", for e-mail and for instant messaging.
  I still didn't manage to set up something alike, including a "butler" and "answering machine" functionality for my door bell though. Mainly because I can't figure out a cheap way that is compatible with me only having an apartment and not knowing where to put it, down beside the dozens of doorbells.
14. Re:Skype doesn't care by Anonymous Coward · 2011-07-15 13:46 · Score: 0
  
  Option C: Introduce your "friend" to mr. baseball bat
  Option D: Report your "friend" to the police for theft.
15. Re:Skype doesn't care by pe1chl · 2011-07-15 20:58 · Score: 1
  
  This is quite common today. Many social media websites offer no way to contact their support department for people who do not have an account themselves.
  When I want to contact linkedin, facebook, twitter, hyves or whatever to ask them to stop sending mail to some address, to remove a customer who has deceased, or whatever, the first thing they ask for is my username and password.
  But I don't have and don't want accounts on sites like that. I only want to report events in a role as a system administrator.
  No way to do it. They don't publish mail addresses, and the ones you may guess yourself or derive from whois are just black holes or return autoreplies that you have to use the form on their website. Which you can only access after logging in.
  Clueless idiots.
Dont worry. Skype has been bought by Microsoft by unity100 · 2011-07-15 07:51 · Score: 2

They can now say 'its not a bug, its a feature', and get it over with.

--
Read radical news here
1. Re:Dont worry. Skype has been bought by Microsoft by AndrewNeo · 2011-07-15 08:37 · Score: 0
  
  So when did the federal approval go through?
2. Re:Dont worry. Skype has been bought by Microsoft by bkaul01 · 2011-07-15 08:47 · Score: 1
  
  So when did the federal approval go through?
  About a month ago: Microsoft gets antitrust approval to buy Skype
Eat my GPL'd penis by Anonymous Coward · 2011-07-15 07:53 · Score: -1

a troll, to annoy people
Copyright (C) 2011 Anonymous Coward
This troll is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This troll is distributed in the hope that it will be annoying,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this troll. If not, see <http://www.gnu.org/licenses/>.
GNU GENERAL PUBLIC LICENSE
Version 3, 29 June 2007
Copyright (C) 2007 Free Software Foundation, Inc. <http://fsf.org/>
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
Preamble
The GNU General Public License is a free, copyleft license for
software and other kinds of works.
The licenses for most software and other practical works are designed
to take away your freedom to share and change the works. By contrast,
the GNU General Public License is intended to guarantee your freedom to
share and change all versions of a program--to make sure it remains free
software for all its users. We, the Free Software Foundation, use the
GNU General Public License for most of our software; it applies also to
any other work released this way by its authors. You can apply it to
your programs, too.
When we speak of free software, we are referring to freedom, not
price. Our General Public Licenses are designed to make sure that you
have the freedom to distribute copies of free software (and charge for
them if you wish), that you receive source code or can get it if you
want it, that you can change the software or use pieces of it in new
free programs, and that you know you can do these things.
To protect your rights, we need to prevent others from denying you
these rights or asking you to surrender the rights. Therefore, you have
certain responsibilities if you distribute copies of the software, or if
you modify it: responsibilities to respect the freedom of others.
For example, if you distribute copies of such a program, whether
gratis or for a fee, you must pass on to the recipients the same
freedoms that you received. You must make sure that they, too, receive
or can get the source code. And you must show them these terms so they
know their rights.
Developers that use the GNU GPL protect your rights with two steps:
(1) assert copyright on the software, and (2) offer you this License
giving you legal permission to copy, distribute and/or modify it.
For the developers' and authors' protection, the GPL clearly explains
that there is no warranty for this free software. For both users' and
authors' sake, the GPL requires that modified versions be marked as
changed, so that their problems will not be attributed erroneously to
authors of previous versions.
Some devices are designed to deny users access to install or run
modified versions of the software inside them, although the manufacturer
can do so. This is fundamentally incompatible with the aim of
protecting use
Doesn't work? by Anonymous Coward · 2011-07-15 07:54 · Score: 0

I just tried this on the skype.com edit your profile mobile number field. Firstly i had to remove the field length limit, after i did this and posted the "><iframe src='' onload=alert('mphone')> the page reloaded with only the "> stored and these had been changed to their html values "> or am i missing something?
What do you expect? by MaxBooger · 2011-07-15 08:05 · Score: 0

Bah! What do you expect to happen? It's crappy Microsoft software, of course it has security vulnerabilities.
.
.
.
.
.
Waiting for the wooshes...
You don't need to worry about it by sl4shd0rk · 2011-07-15 08:14 · Score: 2

Because we said so.

--
Join the Slashcott! Feb 10 thru Feb 17!
Skype Web Site, not Skype by Anonymous Coward · 2011-07-15 10:00 · Score: 0

When I first read the headline, I thought the problem was in Skype itself. It should be noted this is not the case - the flaw is in a page on Skype's Account Management site. We're not talking about the app that users run almost 24/7. We're talking about the site they log into maybe, MAYBE once a month to refill time.
The ease with which this can be exploited has been understated by Skype, however the researcher has greatly overstated the attack vector itself. This is like a steel plate a mile wide, which has a hole in it that's a half inch wide covered in matching tin foil. That is, it's insanely easy to exploit, but the only time you can hit it is when the user is actively logged into Skype's site, which for most users will be basically never.
So yeah...they're kinda both wrong.
1. Re:Skype Web Site, not Skype by Anonymous Coward · 2011-07-15 10:14 · Score: 0
  
  you are not correct -- this is a problem with the skype client.
2. Re:Skype Web Site, not Skype by Anonymous Coward · 2011-07-15 10:46 · Score: 0
  
  You really didn't read the researcher's sweet little paper. He even has a video there using the skype
3. Re:Skype Web Site, not Skype by laurelraven · 2011-07-15 12:12 · Score: 1
  
  This is like a steel plate a mile wide, which has a hole in it that's a half inch wide covered in matching tin foil.
  So, all an attacker has to do is use the Force?
  
  --
  RTFA is Known to the State of California to cause cancer.
Dangerous Vulnerability? by Anonymous Coward · 2011-07-15 10:55 · Score: 0

a.k.a. the end-user.
Asshole by alexo · 2011-07-15 11:04 · Score: 4, Informative

The consultant, Levent Kayan, based in Berlin, posted details of the flaw on his blog on Wednesday and notified Skype a day later.
Asshole.
Phew by Opportunist · 2011-07-15 21:47 · Score: 1

Got me worried for a moment. But it says it right there, all I have to do is ask my Skype partner whether he is a hacker and cease contact if he answers in the positive.
Dear Skype security "experts": Whether someone is communicating with a "potential attacker" is something they learn usually a few seconds after an attack. If at all.

--
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.