Superevr Exploitation Vulnerability Research

19Sep/11Off

XSS in Skype for iOS

Skype for iOS contains an XSS vulnerability that allows attackers steal information.

A Cross-Site Scripting vulnerability exists in the "Chat Message" window in Skype 3.0.1 and earlier versions for iPhone and iPod Touch devices.

Skype uses a locally stored HTML file to display chat messages from other Skype users, but it fails to properly encode the incoming users "Full Name", allowing an attacker to craft malicious JavaScript code that runs when the victim views the message.

javascript alert(mphone)

XSS in Skype

To demonstrate the vulnerability, I captured a photo of a simple javascript alert() running within Skype.

Executing arbitrary Javascript code is one thing, but I found that Skype also improperly defines the URI scheme used by the built-in webkit browser for Skype. Usually you will see the scheme set to something like, "about:blank" or "skype-randomtoken", but in this case it is actually set to "file://". This gives an attacker access to the users file system, and an attacker can access any file that the application itself would be able to access.

File system access is partially mitigated by the iOS Application sandbox that Apple has implemented, preventing an attacker from accessing certain sensitive files. However, every iOS application has access to the users AddressBook, and Skype is no exception. I created a proof of concept injection and attack that shows that a users AddressBook can indeed be stolen from an iPhone or iPod touch with this vulnerability.

To further demonstrate the issue, I have recorded a video of this scenario. Please use the comments section below for your questions.

Skype Attack Message

Skype Attack Loading

.


Tagged as: , , , , , , Comments Off
Comments (34) Trackbacks (0)
  1. Yannik
    September 19th, 2011 - 13:48

    Very interesting find.

    I don’t really understand how you encode the file using base64, could you explain it a little more? I am not that familiar with encoding, but if i encode a sqlite file i and then decode it i just get weird characters like this: ‘SQLite format 3@ ~=1<~-???;?????? '

    • superevr
      September 19th, 2011 - 15:33

      The sqlite database is a binary file. I initially had trouble getting Javascript to parse binary files, so I base64 encode the file before uploading it, then I have my server decode it once it has been received.

      The javascript function to encode data to Base64 is btoa('abcdefg'), and the reverse is atob("YWJjZGVmZw==").

      In order to read a sqlite database, you need a program that can read the file, like SQLite Database Browser 2.0 b1.app for MacOS.

      • Anonymous
        September 20th, 2011 - 02:07

        I didn’t know JavaScript had built in support for Base64. I’m glad to know that. Also, is it legal to perform pen tests on random sites? I realize it is legal to perform tests on clients and whatnot given that you’re technically testing on your own system, but what of websites and servers? Is permission required?

  2. Or
    September 20th, 2011 - 02:16

    Hi,

    I’m was wondering how did u reach an SQL lite file with the running javascript ? did the actual java script code on skype loded it as an element ?

  3. theamoeba
    September 20th, 2011 - 03:42

    have you got an example of the code you used? i suppose you probably want to keep it kind of hush hush tho. :)

  4. Philipp
    September 20th, 2011 - 05:43

    Hi!
    Very interesting. I tested it with my iPhone and it connects to my server. How can I send the request to the iPhone to send the contacts?

  5. Carbon
    September 20th, 2011 - 05:52

    “This gives an attacker access to the users file system, and an attacker can access any file that the application itself would be able to access.”

    That’s simply not true!
    You cannot open ‘/Library/AddressBook/AddressBook.sqlitedb’ from within an app!

    My guess is that this problem is related to WebKit2 (>=iOS 4.3)
    The difference is that WebKit2 executes JavaScript in a separate process with elevated privileges.

  6. Cecil
    September 20th, 2011 - 06:10

    Does the malicious user have to be a contact that is already in the target user’s account, or can the attacker simply request to be added as a contact to exploit the XSS vulnerability?

    • superevr
      September 20th, 2011 - 08:03

      I think the default Skype configuration is set to only allow messages from your contacts, and there is an option to allow messages from anyone.

      • Robert
        October 22nd, 2011 - 17:39

        Cecil’s question was different: Does this work also during processing of a contact request? Or does it only work once you are friends with somebody and they send you a chat message?

  7. Anonymous
    September 20th, 2011 - 06:32

    Nice XSS and good video.

  8. PuReWebDev
    September 20th, 2011 - 08:32

    Did you give Skype a heads up so they could fix this before you made this public?

  9. roymondo
    September 20th, 2011 - 09:57

    Hi there,

    thanks for pointing this out. If I automatically block unknown users from contacting me, this is not an issue. Is that assumption correct?

    If I use a firewall on the iPhone what would I need to check/block to avoid this data going out? Are you specifying a particular port to receive/send the data to the web server? Is it using a port by default?

    Many Thanks.

    roymondo

  10. Julius
    September 20th, 2011 - 13:56

    Nice, when you gain access Apple’s SandBoxConcept will not allow you to do much if anything. We like to see it gain access to anything outside of the Skype bundle and folders. Beyond concept can you steal any data outside of what is in the Skype app sandbox, user names, addresses, etc.

    From our test you cannot do anything except steal Skype related data which can be fun, but not of must use…

  11. Senad
    September 20th, 2011 - 14:03

    can you please tell us the whole line … <irframe id=m src=http ?????

    thanks,.

  12. Wilker
    September 20th, 2011 - 15:26

    Hi, I understood almost everything, except on the part that you get the raw data… How you did this? The policy is so opened that you are able to do an XMLHTTPRequest for a file:// ?? Or used another way?

  13. BreakTheSec
    September 20th, 2011 - 20:17

    Interesting one. I hope soon they will fix this problem.

  14. Digirec
    September 21st, 2011 - 00:00

    @Anonymous
    If hacking is legal in your country you can do this without permission…..

    @Superevr
    Great proof of concept. Some might tell you can just get “part” of the iPhone data.
    I think you just proved that you can easily access parts of private data and that is way more than Apple should allow. And in my opinion I hope you dont share the code and let Apple fix this first.
    Sure it is need to have this code and play with it, but for those who cannot write this code theirselfs (just like I can’t) you are no more than scriptkiddies if you use this code.
    So there will be nothing to be proud of….

    • Digirec
      September 21st, 2011 - 00:01

      Apple and/or Skype (they might be pointing to each other for who is responsible to fix this :)

    • Anonymous
      September 22nd, 2011 - 12:21

      I’m going to assume you meant me. Hacking isn’t legal in my country. There’s a fine line that has to be walked in order to avoid doing anything illegal. I’m not sure where that line is. I’m sure I’ve crossed it in the past, and I’d like to avoid crossing it in the future. I’m not sure /how/ to avoid crossing that line as I’m pretty sure that just about anything I do would violate the same law that samy (http://samy.pl) violated with his “samy is my hero” xss for myspace.

  15. Max
    September 21st, 2011 - 07:35

    Whats the Payload Code?
    Thanks

  16. Matthew Phillips
    September 21st, 2011 - 14:48

    Just tested this and it works great with a basic iframe and src. Unfortunately I am not an iOS dev so don’t know the first thing about accessing the contacts DB.
    Did you find this manually or some other way like fuzzing every field? I guess as iPhone was the target it was difficult to automate?
    Set all fields to fuzz value1 –> check iPhone functionality for issues
    Set all fields to fuzz value2 –> check iPhone functionality for issues …and so on?

    • superevr
      September 24th, 2011 - 19:11

      I tested this manually by putting identifiable code in each field that might be rendered back. Earlier this year, it was reported that both the Mac and Windows versions of Skype were vulnerable to XSS, so I thought “Why not in the iPhone app?”

  17. Nissan Tsafrir
    September 23rd, 2011 - 08:23

    Nice XSS ! hope you gave Skype time to look at it.
    On iOS 5, the sandbox protection got better. Accessing files such as the contacts db or the call history is not possible anymore as it is today.
    But hybrid app developers (those who use webkit in-app) should be more caution as they still need to protect data available in the app sandbox.

  18. arndre
    September 26th, 2011 - 15:28

    Totally nice XSS! where did you get the sqllite filename on the device?

  19. Don Williams
    October 18th, 2011 - 15:54

    very informative – thanks

  20. luke
    November 16th, 2011 - 13:00

    hello dear expert,

    a friends iPhone was stolen and someone was stupid enough to just
    turn it back on and input a new skype name (while still using the old profile).

    so the thief is actually going online with it…

    would you like to help us locate the thief and also fetch his adressbook?

  21. Andrew W
    March 16th, 2012 - 05:47

    Sorry but there’s a few things that don’t stack up here unless I’m misunderstanding this :-

    1. From javascript, how are you accessing any arbitrary file ? The HTML5 file api only provides access to files within a browser created sandbox so won’t permit access to any file that you haven’t already created in the same sandbox. Maybe you are using another API e.g. Phonegap ?
    2. Even if you were able to do 1, you couldn’t access any file outside of the app sandbox so you couldn’t access /var/mobile/Library/AddressBook/AddressBook.sqlitedb unless you were running on a jailbroken device.

    I can see the XSS opportunity with your example and shame on Skype, but I don’t think you’ve proved the address book theft.

    • superevr
      March 22nd, 2012 - 02:18

      Thanks for your comment. Make sure to see my follow-up post Skype XSS Explained

      To answer your question…

      1. Any app that uses the “UIWebView” object to render HTML is taking advantage of the built-in Safari/WebKit browser components. By design, Safari allows JavaScript to access the filesystem if the page running the JavaScript is local to the file system. Thats the first mistake that Skype made here (The second is the XSS). No external API is needed to access local files because it is a feature of the Safari browser. The same is true for the desktop version of Safari.

      2. In iOS, the app sandbox greatly limits what files an application has access to; however, every app has access to the AddressBook file. This might change in the future, but for now any app in the app store or otherwise has access to the AddressBook database.


Trackbacks are disabled.

» «

Recent Posts

Tags

ajax bug bounty bugs chrome cisco conferences Content-Type csrf CVE-2012-0253 dns domains encoding exploit flash google headers HTML5 Internet Explorer intranet iOS iPhone iPod javascript jsessionid json jsp linksys MIME redirect router Skype tld tomcat us-ascii utf-7 utf-8 uxss VU#400619 vulnerability web browser xss

Hacker Blogs