Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researcher Finds Dangerous Vulnerability In Skype

Posted by Soulskill on from the so-we-blame-microsoft-right dept.

alphadogg writes "A security consultant has notified Skype of a cross-site scripting flaw that could be used to change the password on someone's account, according to details posted online. The consultant, Levent Kayan, based in Berlin, posted details of the flaw on his blog on Wednesday and notified Skype a day later. He said on Friday he hasn't heard a response yet. The problem lies in a field where a person can input their mobile phone number. Kayan wrote that a malicious user can insert JavaScript into the mobile phone field of their profile." Skype has confirmed the flaw, but calls it 'minor,' saying it only affects people who communicate with a potential attacker on a regular basis. A fix is planned for next week.

6 of 42 comments (clear)

  1. Skype doesn't care by jtara · · Score: 3, Insightful

    Skype doesn't care. But maybe their new robot overlo.... er, Microsoft will.

    A friend of mine started harassing me with text messages after he "found" an iPhone on the floor of a bar (no, seriously! no, not a prototype...) and I wouldn't help him reset it. (Actually I did - I said "Google it, it's easy".

    I had to add a blocking service from ATT, but then he switched to bombing me SMS messages from Skype. So, I attempted to contact Skype to get it stopped. Ever try to contact Skype? Like, a live person on the phone? I never managed to figure that out, but at least I did manage to get some clueless person at Skype to email me.

    It turns out there is a standard for stopping unwanted SMS messages from 5-digit codes. (The messages came from Skype's 5-digit code). You text back STOP and they are supposed to stop sending you SMSs. Guess what? Skype doesn't bother.

    I went around and around with the clueless rep over email, and they basically told me "we can't do this, contact your carrier". I tried to explain that I'd already talked to a rep from the carrier, and they told it was Skype's responsibility to do this. I tried to tell them that their "STOP" system was broken/nonexistent. They just never "got it".

    Catch-22.

    1. Re:Skype doesn't care by jtara · · Score: 2

      Oh, yea, even figuring out how to contact Skype by email is a hassle. They have a web form for this. Only problem is, you have to be a Skype customer. Why, nobody who isn't a Skype customer would ever need to contact Skype, right?

      Catch-22.

      Aside: pretty dismayed over how hard big companies try to hide from consumers these days.

    2. Re:Skype doesn't care by mcmonkey · · Score: 2, Insightful

      Sounds the issue is your choice of "friends", not any technical issue with skype or SMS.

  2. Dont worry. Skype has been bought by Microsoft by unity100 · · Score: 2

    They can now say 'its not a bug, its a feature', and get it over with.

    --
    Read radical news here
  3. You don't need to worry about it by sl4shd0rk · · Score: 2

    Because we said so.

    --
    Join the Slashcott! Feb 10 thru Feb 17!
  4. Asshole by alexo · · Score: 4, Informative

    The consultant, Levent Kayan, based in Berlin, posted details of the flaw on his blog on Wednesday and notified Skype a day later.

    Asshole.