Visit other sites in the Know Your Mobile network
iPhone weakness exploited by Skype security flaw
A Skype security flaw on the iPhone has shown up a key weakness in iOS security, allowing hackers to steal entire phonebooks in minutes
Security on Skype for iPhone is looking shaky
Published on Sep 20, 2011
A security researcher has made a video demonstrating how easily he can steal an iPhone’s address book, simply by sending a chat message through the Skype app.
Phil Purviance showed that by using Javascript commands hackers can send a chat message to someone’s Skype app, which can be embedded with exploitative code. All the victim has to do is see the message and the code is activated.
‘When the exploit code is run, the victim's iPhone will automatically make a new connection to my server to grab a larger payload instructing the victim's iPhone to upload its entire address book file to the server,’ said Purviance, while narrating his demo.
The exploit is possible because Skype doesn’t have any mechanism to filter out Javascript code from chat messages.
It’s a remarkably similar threat to one found in Skype for Apple Mac computers in May this year by Gordon Maddern, researcher for security firm Pure Hacking.
In that particular case, instead of phonebooks being stolen the whole computer was taken over by the attacker, but the method of intrusion was the same in principle - an embedded attack launched via a Skype message.
Another weak point which makes it all possible is within iOS itself, rather than specifically the Skype app.
The problem is that iOS is designed to allow every app access to the file in which address book details are stored. Which means that if you find a way into the system via any app you’ve got access to someone’s phonebook.
Unless you’re in a particularly information sensitive business phonebook details aren’t necessarily something you want that closely guarded, but even so, the fact that such intrusion is possible so easily is jarring.
It also makes us wonder just what other exploits could daisy-chain off this one. If all apps access this same breakable phonebook file, would it be such a stretch for hackers to use it as a base to intrude into other apps and more sensitive areas of the phone?
On his blog, Purviance says intrusions into certain key areas of the iPhone aren't possible thanks to Microsoft's security measures, but we do wonder what potential there is for mayhem in any unprotected areas.
No doubt there will be a fix for Skype very soon indeed, but just how Apple plans on dealing with its own part of this glaring fault remains to be seen.
