The heart of the problem, according to Purviance, is an improper definition within the Skype app that allows access to a user’s local file system. He says the threat is partially mitigated by protections within iOS itself, but the address book remains vulnerable.
Skype appears to be in no hurry to fix the problem. In a tweet, Purviance said he notified Skype of the vulnerability on August 24, and was told that an update addressing the issue would be released in early September.
A statement from Skype confirms that the company is aware of the issue and will fix it “in our next planned release, which we hope to roll out imminently.”
You can watch a demonstration of exactly how the exploit works in this video, created by Purviance: