Cross-Site Request Forgery (CSRF) Vulnerability
A browser-level vulnerability has been revealed by Secure Science Corporation that could impact Skype users.
This exploit can happen to any user who is logged into their account on Skype.com, who simultaneously visits a malicious Web site and is then affected by this attack. The malicious site can then compromise a user’s account and perform a limited number of actions, such as change the user’s voicemail or call forwarding settings. However, the user’s account password is not compromised at any time. Nor does it impact users of the Skype client.
The simplest technique is similar to a phishing attack, only a bit more interactive:
Attacker: Hello, I apologize for the disruption, but this is a friendly reminder that Skype is having a special today. We are offering $25.00 extra credit in your SkypeOut account if you do “X.” We will never ask you for your username or password over Skype Instant Messaging.
That “X” can be anything that requires the user who is logged into their Web-based Skype account to possibly view another site.
Attacker2: Hello, were you just contacted by someone promising 25.00 extra credit. This is the Skype Fraud Detection (SFD) department; we believe that your computer may be infected. We need you to go to this site to check for and eliminate the infection (X-Fake-Security-Site). As this is Skype-specific, anti-virus software cannot eliminate this threat. Note: the SFD will never request your Skype password.
In both cases, the attacker never asked for the Skype username or password.
To protect yourself from this vulnerability, we recommend that you take the following steps:
- Close all browser windows before logging into your secure account (https) on Skype.com to execute any transactions or change any account settings.
- Make sure to log out of your account on Skype.com when you’re done buying Skype credit or a subscription and/or making other changes to your account settings.
- Logging off of secure Web sites is the best practice method before clicking on any links from any source other than the secure page opened. As such, do not visit any other Web sites until you have logged out of your secure Skype.com account.
As always, do not click on links from unknown people in instant messages or links in “spam” or untrusted e-mails. Plus, it’s not a good time to multi-task when you are logged into any secure Web site.
Skype is hard at work changing how these Web pages operate in order to address this vulnerability and to keep our users’ safe from this type of attack.