If you’re using Skype for iOS version 3.0.1 or older, you might want to think twice before opening messages from people you don’t know. According to a security expert, a cross-site scripting (XSS) vulnerability exists in the Chat section of Skype for iOS on both the iPhone and iPod touch.

Apparently, Skype fails to properly encode the “full name” of the sender of an incoming chat message, allowing the sender to add malicious JavaScript code that can be executed as the message is opened…

When the code is ran, the attacker can have access and download all the information that the Skype app can access on your device, including your address book.

This is what this hack looks like in action:

Skype is aware of this vulnerability and is currently working on issuing a fix. They issues the following statement:

“We are working hard to fix this reported issue in our next planned release which we hope to roll out imminently. In the meantime we always recommend people exercise caution in only accepting friend requests from people they know and practice common sense internet security as always.”

In the meantime, you should make sure you trust the sender before opening incoming chat messages that look shady..

  • Holy “S#!T” that was Easy!

    – Eric

  • fdxgncgfn

    well, nobody even uses 3.0.1 and below nowdays.

    • Massie

      That’s 3.0.1 for Skype, not iOS. In other words, for the current version of Skype.

  • Vitaliy

    I thought XSS only works with browsers. Anything that is compiled on-the-run.

  • The problem is not with iOS. The problem is from the Skype app, as explained in the post.