Kiwi Security Expert Finds Flaw in Skype
A new security vulnerability has been found in Skype, which allows an attacker to obtain files that they would otherwise not have access to. The latest flaw was found by a New Zealand security researcher.
The security flaw manifests itself through the way Skype handles Uniform Resource Identifiers (URIs) that point to names or addresses referring to resources.
Security-Assessment.com discovered that with one type of URI handler installed by Skype it was possible to include additional command-line switches. One such switch will set up a file transfer session that will allow data written to the local hard disk to be sent to another Skype user.
For an attacker to succesfully exploit the flaw he must know the exact name and location of the file he wants to transfer on the victim’s computer. The attacker must also authorise the victim, Security-Assessment.com says. This is easily done, with the attacker simply adding the victim to his contact list.
Skype programmers have been alerted to the exploit and are actively working on a solution. Look for an update to this widely used VoIP application in the very near future.