A bug in the latest version of Skype for iPhone and iPod touch makes its users vulnerable to having their address book stolen just by viewing a specially crafted message. Simple solution: Don’t open text messages in the chat window, and check for a really quick update.

Cross site-scripting vulnerabilities is one of the more popular attacks that hackers use, and they work just as well on smartphones as they do on PCs.  They usually trick the user into launching code that they think is from a legitimate site, but can be used in other ways.

The finder of this bug discovered that, while most sensitive files on an iPhone are protected by the system, the address book is not, leaving it open to be accessed and uploaded by this bug.  For it to work, you’ll have to befriend some stranger who will then want to chat to you.

When a user receives the message in question and opens it, the exploit code runs automatically in the background and makes the victim’s device connect to a server previously set up by the attacker.

From there, the device grabs another payload which orders it to upload the file containing the address book to the server. All in all, the attack is executed in just a few minutes.

Setting aside for a moment the Skype client’s inability to properly sanitize JavaScript code, the bigger problem demonstrated by this PoC is the fact that, in spite of the existence of the iOS application sandbox which protects most files on the device, the AddressBook file is accessible to every application installed on it.

That means that, in theory, the compromise of any of these apps could yield the information contained in the AddressBook file to attackers.

Skype says it is aware of the security issue, and had issued the following statement:

“We are working hard to fix this reported issue in our next planned release which we hope to roll out imminently. In the meantime we always recommend people exercise caution in only accepting friend requests from people they know and practice common sense internet security as always.”

AppSec Consulting security researcher Phil Purviance, who also made the video a video showing its bug, writes:

Executing arbitrary Javascript code is one thing, but I found that Skype also improperly defines the URI scheme used by the built-in webkit browser for Skype. Usually you will see the scheme set to something like, “about:blank” or “skype-randomtoken”, but in this case it is actually set to “file://”. This gives an attacker access to the users file system, and an attacker can access any file that the application itself would be able to access.

File system access is partially mitigated by the iOS Application sandbox that Apple has implemented, preventing an attacker from accessing certain sensitive files. However, every iOS application has access to the users AddressBook, and Skype is no exception.