Microsoft has squashed a claim by a German security researcher that Skype is vulnerable to cross site scripting (XSS) attacks.
The company said the exploit posted online in an advisory was benign.
Levent Kayan said the Skype client contained a persistent code injection vulnerability caused by a lack of input validation and output sanitisation of phone contact entry fields.
Kayan said it would allow an attacker to inject HTML or Javascript code into fields that were meant to contain names and phone numbers.
Skype said the attack was impossible because the vulnerable entry fields were not internet-accessible windows.
The vulnerability had credibility because Kayne last month released details of a similar high-profile exploit of the Skype client.
That attack allowed Skype contacts to be hijacked with a string of code injected into the mobile phone entry field. An attacker could run script on the victim’s machine and obtain their session ID and account details.
The flaw was fixed.
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
