[youtube]http://www.youtube.com/watch?v=Ou_Iir2SklI[/youtube]
We discussed a few weeks ago about a bug in the Skype application which allows downloading the contact book on Android terminals, but the iOS version of the application does not have better security either. Using a javascript code entered in the user name, any hacker can steal our contact book by simply sending a text message in the Skype chat interface. In the video clip above, we have exemplified the operation and you can see how simple the contact book is copied from the iPhone without the user knowing what is happening.
If you are using Skype for iPhone or iPod Touch, the Address Book on your device can easily be stolen via a simple chat message. How does it work?: Javascript commands are entered into the user names Skype account, a chat message is sent to the user who is using the newest version of Skype for iPhone, and a program is loaded onto a web server to receive the Address Book happy
Unfortunately, users have no way to protect themselves against such an attack, and they wouldn't even have a way to find out that their entire contact book was stolen because they have no clue about this. The Javascript code can be entered by the hacker in his username, but the person he is talking to has no way of seeing it, so he does not know that he is being attacked. Unfortunately, only Skype can protect users against this kind of attack, but the American company did not recognize the problem and did not take any measures to fix it.
