[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Skype videomood XSS

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] Skype videomood XSS
From: Miroslav Lučinskij <miroslav.lucinskij@xxxxxxxxxxx>
Date: Thu, 17 Jan 2008 09:59:13 +0200

I want to share some of our thoughts on Skype security. I will try to be short: 
Skype has a feature, which allows user to insert a video into his mood - video 
selection is done through skype partners and is based on regular WEB 
functionality. So this feature practically inherits WEB's problems - in this 
particular case it's XSS attacks.

In fact, Skype security is now dependant on their partners website security as 
no additional measures are taken to filter possible malicious content, that may 
come from the partners - dailymotion and metacafe are treated like trusted 
resources. This is wrong and may cause trouble.

We were able to find some permanent XSS vectors in dailymotion.com: videos have 
a 'Title' field, which is not properly filtered and returned to user in certain 
conditions. So it becomes possible to execute malicious script content when 
user is searching for a video to add to his mood. You may also test it by 
entering word 'saugumas' in dailymotion.com video search field.

Screenshots are available here: http://www.critical.lt/?opinions/show/1470 

Best regards,

Miroslav Lučinskij,
Critical Security
Lithuania, Vilnius

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: Re: [Full-disclosure] Hardware-based full disk encryption
Next by Date: [Full-disclosure] Yahoo! CAPTCHA hacked
Previous by thread: Re: [Full-disclosure] Liba Cohn, Cruise Insurance -- What if You Get Sick on the Ship? Tips from Industry Expert Travel Insurance Services
Next by thread: Re: [Full-disclosure] Skype videomood XSS
Index(es):
- Date
- Thread