lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 11 May 2016 22:57:08 +0200
From: Danny Kopping <dannykopping@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] Skype Phishing Attack

First-time poster here. I've been told to submit this issue to FD since
Microsoft's Security Team rejected this out of hand because it doesn't meet
their arbitrary definition of a vulnerability.

"Thank you for contacting the Microsoft Security Response Center (MSRC).
Upon investigation we have determined that this is not a valid
vulnerability."

Below is the original message i sent to secure@...rosoft.com:

*------------------- Original Message -------------------*
Hi

I've found a way to conduct a phishing attack on unsuspecting users by
exploiting the image preview functionality found in modern versions of
Skype (only tested on Mac so far).

Right at the outset here I'll say that i'm not a security researcher, just
a lowly programmer.

The exploit is very very simple.
Skype announces that it is fetching an image preview when requesting an
HTTP(S) link from a server. The User-Agent header is:

Mozilla/5.0 (Windows NT 6.1; WOW64) *SkypeUriPreview* Preview/0.5

This can be exploited to respond with different (even if not malicious)
content which is disingenuous.

My proof of concept can be found here:
http://infomaniac.co.za/skype-phish/

In Skype, when the link is pasted, appears like this:
[image: Inline image 1]

And when clicked, you are shown a Facebook login form:
[image: Inline image 2]

After filling out the form and submitting it, you then see:

[image: Inline image 3]

The exploit is very simple and the code can be found here:
http://infomaniac.co.za/phish.zip

I hope Skype will take steps to improve the safety and security of its
regular non-technical users.

I believe this particular issue can be mitigated by simply not including a
specific User-Agent string in requests.

Thank you

Download attachment "image.png" of type "image/png" (82333 bytes)

Download attachment "image.png" of type "image/png" (64587 bytes)

Download attachment "image.png" of type "image/png" (9514 bytes)


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ