lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 17 Jan 2008 09:59:13 +0200 From: Miroslav Lučinskij <miroslav.lucinskij@...tical.lt> To: full-disclosure@...ts.grok.org.uk Subject: Skype videomood XSS I want to share some of our thoughts on Skype security. I will try to be short: Skype has a feature, which allows user to insert a video into his mood - video selection is done through skype partners and is based on regular WEB functionality. So this feature practically inherits WEB's problems - in this particular case it's XSS attacks. In fact, Skype security is now dependant on their partners website security as no additional measures are taken to filter possible malicious content, that may come from the partners - dailymotion and metacafe are treated like trusted resources. This is wrong and may cause trouble. We were able to find some permanent XSS vectors in dailymotion.com: videos have a 'Title' field, which is not properly filtered and returned to user in certain conditions. So it becomes possible to execute malicious script content when user is searching for a video to add to his mood. You may also test it by entering word 'saugumas' in dailymotion.com video search field. Screenshots are available here: http://www.critical.lt/?opinions/show/1470 Best regards, Miroslav Lučinskij, Critical Security Lithuania, Vilnius _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists