Microsoft has squashed a claim by a German security researcher that Skype is vulnerable to cross site scripting (XSS) attacks.
The company said the exploit posted online in an advisory was benign.
Levent Kayan said the Skype client contained a persistent code injection vulnerability caused by a lack of input validation and output sanitisation of phone contact entry fields.
Skype said the attack was impossible because the vulnerable entry fields were not internet-accessible windows.
The vulnerability had credibility because Kayne last month released details of a similar high-profile exploit of the Skype client.
That attack allowed Skype contacts to be hijacked with a string of code injected into the mobile phone entry field. An attacker could run script on the victim’s machine and obtain their session ID and account details.
The flaw was fixed.
Copyright © SC Magazine, Australia
Processing registration... Please wait.
This process can take up to a minute to complete.
A confirmation email has been sent to your email address - SUPPLIED GOES EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @itnews.com.au to your white-listed senders.