It does not happen often that software updates ship with critical security issues, or that those issues are detected shortly after an update gets released.
But that's exactly the case with the Skype 5.5 release for Windows. Skype 5.5 is the first version with Facebook integration. Skype users with a Facebook account can now use some of Facebook's functionality right in the voice over IP software. This includes posting comments and status updates, or seeing which Facebook friends are online on the social networking website.
Facebook Chat in return has seen Skype integration, allowing Facebook users now to video chat with online friends. Security researcher David Vieira-Kurz discovered several vulnerabilities in the new Skype version that could allow an attacker to take over the Skype session of a user. What makes this attack even more dangerous is the fact that the attacker does not have to be a Facebook user's friend or Skype contact to launch the attack.
The attack uses code that is entered into a wall or comment post. The Skype session information are then displayed on screen. The exploit is persistent in nature as logging off and on again on Facebook does not invalidate the Skype session. The vulnerability is caused by Skype's inadequate escaping of data that is posted on Facebook.
David has posted a proof of concept video that demonstrates the vulnerability
Windows users who are considering updating to Skype 5.5 for the Facebook integration and chat functionality should consider waiting until an update is released by Skype. No workaround is available at this point in time.
What can you do if you have already updated to Skype 5.5? You could block the Skype app on Facebook under Privacy Settings until a fix is available. Please note that I have not tested this.
Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.
We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.
If you like our content, and would like to help, please consider making a contribution:
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.