Skype Update 5.5 With Critical Security Vulnerability

Martin Brinkmann
Jul 29, 2011
Updated • Feb 16, 2014
Facebook, Security
|
3

It does not happen often that software updates ship with critical security issues, or that those issues are detected shortly after an update gets released.

But that's exactly the case with the Skype 5.5 release for Windows. Skype 5.5 is the first version with Facebook integration. Skype users with a Facebook account can now use some of Facebook's functionality right in the voice over IP software. This includes posting comments and status updates, or seeing which Facebook friends are online on the social networking website.

Facebook Chat in return has seen Skype integration, allowing Facebook users now to video chat with online friends. Security researcher David Vieira-Kurz discovered several vulnerabilities in the new Skype version that could allow an attacker to take over the Skype session of a user. What makes this attack even more dangerous is the fact that the attacker does not have to be a Facebook user's friend or Skype contact to launch the attack.

The attack uses code that is entered into a wall or comment post. The Skype session information are then displayed on screen. The exploit is persistent in nature as logging off and on again on Facebook does not invalidate the Skype session. The vulnerability is caused by Skype's inadequate escaping of data that is posted on Facebook.

David has posted a proof of concept video that demonstrates the vulnerability

Windows users who are considering updating to Skype 5.5 for the Facebook integration and chat functionality should consider waiting until an update is released by Skype. No workaround is available at this point in time.

What can you do if you have already updated to Skype 5.5? You could block the Skype app on Facebook under Privacy Settings until a fix is available. Please note that I have not tested this.

Advertisement

Tutorials & Tips


Previous Post: «
Next Post: «

Comments

  1. tom said on July 29, 2011 at 11:03 am
    Reply

    Martin, very interesting as usual. Just one question though – you mention waiting with the skype update until a fix is available. I am not aware of an option in this respect. My last two updates came through automatically without any option to deny, delay or stop them. I even went to the forum but it seems that the new versions consider automatic updates a security feature that is no longer optional. Obviously even without your new information I think that is bad policy if true. So if you know how to disable automatic updates in Skype, please share that info.

    Kind Regards
    Tom

    1. Martin Brinkmann said on July 29, 2011 at 11:07 am
      Reply

      Tom, I’m actually not using Skype anymore. Did not know that you cannot block updates from going out. The only option in this case is to block Skype on Facebook then.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.