Skype users on iOS devices should be on the look out for malicious users who intend on stealing their address book.
A vulnerability affecting Skype 3.01 on iOS devices, including the iPod Touch and iPhone, gives an attacker the ability to secretly upload the entire contents of your address book. The hole is due to a non-validated input field in the client, instead of the contents being displayed to the user, they are executed. Coupling XSS with sandbox permissions that do not allow for fine-tuned access control within apps, provides a way for an attacker to steal the contents of an unsuspecting user’s address book.
Skype has been criticised numerous times over identical vulnerabilities in their desktop software, that allowed for remote code to be executed on a victim’s computer. The flaw is one that Skype has had reported numerous times, fixed numerous times, yet they have not completely audited the applications before release.
Phil has detailed the attack performed against an iPhone 4 running iOS 4.3.5 and has indicated that the vulnerability was reported to Skype over a month ago. Hopefully a fix is in the works, but more importantly, hopefully Skype will perform a full check instead of simply throwing input sanitising on the vulnerable text field.