Users of Skype’s iOS app for the iPhone & iPad touch be warned – a dangerous new vulnerability has been found in version 3.0.1 that could allow attackers to run dangerous JavaScript code by simply sending you a chat message.
The bad news is that simply viewing a chat message can make you vulnerable, meaning that anybody who sends you a message on Skype could view your private information or cause problems with your device.
Fortunately, Skype is aware of the issue, and is actively working on releasing an update that will take care of the exploit. Phil Purvlance, the security researcher who discovered the exploit, had the following to say:
Executing arbitrary Javascript code is one thing, but I found that Skype also improperly defines the URI scheme used by the built-in webkit browser for Skype. Usually you will see the scheme set to something like, “#” or “skype-randomtoken”, but in this case it is actually set to “file://”. This gives an attacker access to the users file system, and an attacker can access any file that the application itself would be able to access.
This is good news, and basically means that any attacker who uses this exploit would be unable to attack certain sensitive files, although items such as the address book would continue to be available to potential hackers.
The warning is this: be careful on Skype for the next few days. Don’t read chats from people you don’t know, and close the Skype app as soon as you suspect something unusual might be happening on your device. We’ll keep you updated on any future releases from Skype to fix this issue. Check out the below video to see how it all works: