If you’re using Skype for iOS version 3.0.1 or older, you might want to think twice before opening messages from people you don’t know. According to a security expert, a cross-site scripting (XSS) vulnerability exists in the Chat section of Skype for iOS on both the iPhone and iPod touch.
Apparently, Skype fails to properly encode the “full name” of the sender of an incoming chat message, allowing the sender to add malicious JavaScript code that can be executed as the message is opened…
When the code is ran, the attacker can have access and download all the information that the Skype app can access on your device, including your address book.
This is what this hack looks like in action:
[tube]http://www.youtube.com/watch?v=Ou_Iir2SklI[/tube]
Skype is aware of this vulnerability and is currently working on issuing a fix. They issues the following statement:
“We are working hard to fix this reported issue in our next planned release which we hope to roll out imminently. In the meantime we always recommend people exercise caution in only accepting friend requests from people they know and practice common sense internet security as always.”
In the meantime, you should make sure you trust the sender before opening incoming chat messages that look shady..