lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 7 Jul 2015 12:15:22 +0300
From: Jaanus <jaanus.kaap@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] Fake links in Skype

http://jaanuskp.blogspot.com/2015/07/fake-links-in-skype.html

The issue in Skype (bit hard to name it a real vulnerability) is actually a
simple one - you can send links that seem to direct user to one URL, but
actually send to some other. This is quite normal and expected in web pages <a
href="BAD_PLACE">GOOD_PLACE</a> but it is not expected from Skype, because
Skype creates these links itself and by default you can't create your own
urls. If you type www.google.com, then client will generate link from that
and it will point to www.google.com not to http://xkcd.com/932/ for example.

What becomes important, is the fact that the link structure (which is usual
HTML <a> tag) is created not by receiving client but by the sender. So my
client is not sending a simple www.google.com, but already ready link <a
href="http://www.google.com">www.google.com</a>. Usually this was not big
issue, because it's bit hard to build your own stuff on Skype protocol and
it might not been worth the effort. But now there exists a web client on
http://web.skype.com and things are MUCH simpler on that.

In web.skype.com client you can easily intercept (or write HTTP requests
yourself) the request that sends your message to the server and change the
href attribute inside a tag that was created automatically by javascript.
This is not only the http/https protocols that can be used. Elar Lang (
https://www.linkedin.com/in/elarlang ) noticed that it's also possible to
use other protocols such as file: data: skype: etc..
This also might create new attack vectors.

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists