Skype says it is aware of the security issue, and had issued the following statement:
“We are working hard to fix this reported issue in our next planned release which we hope to roll out imminently. In the meantime we always recommend people exercise caution in only accepting friend requests from people they know and practice common sense internet security as always.”
The non-patronizing first sentence would have been sufficient, Skype.
AppSec Consulting security researcher Phil Purviance, who also made the video below, writes:
File system access is partially mitigated by the iOS Application sandbox that Apple has implemented, preventing an attacker from accessing certain sensitive files. However, every iOS application has access to the users AddressBook, and Skype is no exception.
On Twitter, Purviance says he reported the XSS vulnerability to Skype nearly a month ago.
Let’s hope a fix follows shortly now that he’s gotten media attention.