[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FD] Skype Phishing Attack

To: Danny Kopping <dannykopping@xxxxxxxxx>, fulldisclosure@xxxxxxxxxxxx
Subject: Re: [FD] Skype Phishing Attack
From: Wim Remes <wremes@xxxxxxxxx>
Date: Fri, 13 May 2016 12:40:32 +0000

I think MSRC was on the money on this one.
On Thu, 12 May 2016 at 23:39, Danny Kopping <dannykopping@xxxxxxxxx> wrote:

> First-time poster here. I've been told to submit this issue to FD since
> Microsoft's Security Team rejected this out of hand because it doesn't meet
> their arbitrary definition of a vulnerability.
>
> "Thank you for contacting the Microsoft Security Response Center (MSRC).
> Upon investigation we have determined that this is not a valid
> vulnerability."
>
> Below is the original message i sent to secure@xxxxxxxxxxxxx:
>
> *------------------- Original Message -------------------*
> Hi
>
> I've found a way to conduct a phishing attack on unsuspecting users by
> exploiting the image preview functionality found in modern versions of
> Skype (only tested on Mac so far).
>
> Right at the outset here I'll say that i'm not a security researcher, just
> a lowly programmer.
>
> The exploit is very very simple.
> Skype announces that it is fetching an image preview when requesting an
> HTTP(S) link from a server. The User-Agent header is:
>
> Mozilla/5.0 (Windows NT 6.1; WOW64) *SkypeUriPreview* Preview/0.5
>
> This can be exploited to respond with different (even if not malicious)
> content which is disingenuous.
>
> My proof of concept can be found here:
> http://infomaniac.co.za/skype-phish/
>
> In Skype, when the link is pasted, appears like this:
> [image: Inline image 1]
>
> And when clicked, you are shown a Facebook login form:
> [image: Inline image 2]
>
> After filling out the form and submitting it, you then see:
>
> [image: Inline image 3]
>
> The exploit is very simple and the code can be found here:
> http://infomaniac.co.za/phish.zip
>
> I hope Skype will take steps to improve the safety and security of its
> regular non-technical users.
>
> I believe this particular issue can be mitigated by simply not including a
> specific User-Agent string in requests.
>
> Thank you
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> https://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

References:
- [FD] Skype Phishing Attack
  - From: Danny Kopping

Prev by Date: Re: [FD] Skype Phishing Attack
Next by Date: [FD] runAV mod_security Remote Command Execution
Previous by thread: Re: [FD] Skype Phishing Attack
Next by thread: [FD] CakePHP Framework <= 3.2.4 IP Spoofing Vulnerability
Index(es):
- Date
- Thread