Welcome Guest [Log In] [Register]

Kia Ora
You are currently viewing our forum as a guest. This means you are limited to certain areas of the board and that there are some features you can't use or read.

We are an active community of worldwide senior members participating in chat, politics, travel, health, blogging, graphics, computer issues & help, book club, literature & poetry, finance discussions, recipe exchange and much more. Also, as a member you will be able to access member only sections, many features, send personal messages, make new friends, etc.

Registration is simple, fast and completely free. Why not register today and become a part of the group. Registration button at the very top left of the page.

Thank you for stopping by.

Join our community!

In case of difficulty, email worldwideseniors.org@gmail.com.
If you're already a member please log in to your account to access all of our features:

Username:   Password:
Add Reply
Skype confirms XSS vulnerability in iPhone app
Topic Started: Sep 21 2011, 12:28 PM (225 Views)
Deleted User Sep 21 2011, 12:28 PM Post #1
Deleted User
Quote:
 
Skype confirms XSS vulnerability in iPhone app

An XSS bug in the iPhone and iPad version of the Skype client, in combination with an incorrect WebKit setting, allows an attacker to directly access files on the device, including the user's Address Book. The XSS bug itself is an incorrect encoding of the incoming user's "Full Name" which allows JavaScript code to be embedded in it.

The problem is made more exploitable by the way Skype uses the embeddable WebKit browser; Skype developers have set the URI scheme for the embedded browser to "file://". This error allows an attacker to access the file system and read any file that the app would be allowed to read by the iOS application sandbox. One file that every iOS application has access to is the user's SQLlite AddressBook database. In a demonstration of the bugs, Phil Purviance, AppSec Consulting security researcher, showed how it was possible to extract the iPhone address book using the vulnerabilities.


More plus screenshot - http://www.h-online.com/security/news/item/Skype-confirms-XSS-vulnerability-in-iPhone-app-1346284.html
Quote Post Goto Top
 
1 user reading this topic (1 Guest and 0 Anonymous)
« Previous Topic · SOFTWARE & HARDWARE · Next Topic »
Add Reply