German IT security expert Levent Kayan discovered a simple, but particularly nasty vulnerability in Skype that enables an attacker gain access to session IDs and user account data, including passwords.

To exploit the cross-site scripting bug, an attacker needs to enter a command string in the “mobile phone” field of a targeted user.

Skype confirmed the problem, but considers it to be a “minor issue”, while the researcher categorizes the threat level as “high”. Kayan said that other input fields that lack input validation as well may also be affected by the vulnerability. In a response to Forbes, Skype spokesperson Chaim Haas said that the problem only affects “top contacts” as they need access to this particular field. “As you can imagine, someone who you deal with frequently is probably unlikely to take advantage of this bug anyway,” Haas said.

Kayan noted that there is no sign that the bug is already being exploited by attackers. All Skype versions to versions 5.3.0.120 as well as Windows XP, Vista and 7 and Mac OS X are affected.

SOURCE via Forbes