This exploit was used as an example to my talk at Toorcon Seattle
XSS Without a BrowserWait,
Vulnerability: Cross Site ScriptingAffects: Skype 5.0.x to
<= 5.0.914 (OS X) (Download |
Skype (http://skype.com/) was
vulnerable to (persistent?) XSS via messages from other users.
On top of that, the DOM of this window does not contain a set Origin,
so it is possible to "bypass" the cross origin policy.
Update: After a friend went over the documentation that hooks webkit
into applications, he found this snippet. I was wrong in saying there was a
null origin, it's just expicitly set to allow * :Documentation
Once you have obtained the Window object for the target document, you can send it a message with the following code:
windowObj.postMessage('test message', 'http://example.com');
The first parameter is an arbitrary message.
The second parameter is the target origin value. An origin value is just a URL with the path part removed.
For example, the origin of a local file isfile://. By specifying a target origin, you are saying that that
your message should only be delivered if the target window's current contents came from that origin.
Although you may specify an asterisk (*) wildcard for the target origin (to allow the message to be sent
regardless of where the contents of the target window came from), you should do so only if you are certain that
it would not be harmful if your message were received by content originating from a different website.
Authentication Status: Logged into skype, but persists in logs,
so a user can be exploited again if viewing logs. Default privacy
settings require a user to add the attacker as a contact.
Inject used in attack
More advanced attacks:
Create an iFrame to Google.com within the Skype chat DOM. Write to that
Create an XHR request to pull /etc/hosts
Create an XHR request to pull mobile mail.google.com, then run regex on
the page & pull out email titles & from. (Terrible terrible
ResolutionMay 6th, 2011 -
Skype fixed this in their 5.0.922 update. (Released April 14th, 2011)