Explaining the Cross Site Scripting Bug in Skype for Windows [RESOLVED]
Updated July 20, 2011 – This issue is now resolved.
Currently, there is a Cross Site Scripting (XSS) bug present in the Skype Home area of the Skype for Windows client. Cross Site Scripting (XSS) is a problem where someone is able to put malicious content onto a web page that other people will view later. If this content is not filtered correctly when someone visits that web page and views the malicious content, it could result in them being redirected somewhere else, having pop-ups appear on their screen, or, worse yet, redirecting them to a web site that contains a virus or trojan.
Unfortunately, Skype for Windows is not correctly validating some fields of your contacts’ profiles. What this means is if one of your Skype contacts has put some specific strings into their profile, it could result in your Skype Home area being redirected to another web page or a message being displayed.
In order for someone to cause these messages to be popped up or to redirect you to a web site, they would first have to be one of your accepted Skype contacts. However, this vulnerability should not be there and there is a fix which we are finalising testing of that is due to be pushed out early next week.
When the fix is deployed, it will not require you to update your Skype client, as the change will happen without you needing to perform any updates. Of course, as always, I urge everyone to be on the latest version of Skype, as we are continually updating and improving not only the security, but also the features within our products.