Security researchers have discovered a flaw in Skype that could enable hackers to run code on a target system, phish for credentials and crash applications.
According to Zacharis Alexandros, an independent researcher, a bug in Skype was discovered in January, but it has only recently been bought to light following the successful patch of the problem by Microsoft. He dubbed the bug, Spyke.
In a blog post (at time of publication, the article on LinkedIn (also owned by Microsoft) appears to have disappeared – here is a cached page), Alexandros said the problem mainly affected the Windows version of the VoIP application and to mount an attack, a hacker would need local access to the login screen of a running Skype instance.
He said that the vulnerability targets the fact that Skype instance contains an embedded Internet Explorer browser used for authentication purposes. An attacker can circumvent the normal authentication process and abuse the login via Facebook function to fingerprint the Internal Browser (IE), execute code in the context of the Skype process, phish credentials, and over communication traces.
He added that any system using Skype Client 18.104.22.168 and older versions that allow Facebook Login as an option are vulnerable. “Systems that use Skype and are publicly reachable like info kiosks or smart TV appliances, are particularly more attractive than local private systems (PCs) in order to be used for phishing attacks,” he warned.
The researcher also uploaded a video showing a proof of concept where code can be taken from Facebook’s developer site from inside Skype and crash the app. A hacker could also replace the login with a fake one to phish for a victim’s credentials.