Wednesday, 21 September 2011

iOS vulnerability leaves Skype users open to address book theft

    If you are using Skype for iPhone or iPod Touch, the Address Book on your device can easily be stolen via a simple chat message.

    How does it work?: Javascript commands are entered into the user names Skype account, a chat message is sent to the user who is using the newest version of Skype for iPhone, and a program is loaded onto a web server to receive the Address Book content.

    The report claims there is two oversights that are allowing this to happen so easily:

  • iOS allows address book contents accessible to every app installed
  • Failure by Skype to sanitize potentially dangerous JavaScript commands from the text that gets sent in chat messages
Of course it will be Skype's responsibility to patch the hole as iOS security is currently a complete mess as apple still tries to figure out the hole that made them lose the US Army defense contract.
    Meanwhile any skilled hacker/developer can collect your and your friend's addresses with the simplest app or game imaginable.
Detailed instructions of the hack after the break.