“Skype uses a locally stored HTML file to display chat messages from other Skype users, but it fails to properly encode the incoming user’s ‘Full Name,’ allowing an attacker to craft malicious JavaScript code that runs when the victim views the message,” Purviance wrote on his blog.
The heart of the problem, according to Purviance, is an improper definition within the Skype app that allows access to a user’s local file system. He says the threat is partially mitigated by protections within iOS itself, but the address book remains vulnerable.
Skype appears to be in no hurry to fix the problem. In a tweet, Purviance said he notified Skype of the vulnerability on August 24, and was told that an update addressing the issue would be released in early September.
A statement from Skype confirms that the company is aware of the issue and will fix it “in our next planned release, which we hope to roll out imminently.”
You can watch a demonstration of exactly how the exploit works in this video, created by Purviance:
Follow Eric on Twitter and at ericmack.org. Follow PCWorld on Twitter, too.