Another XSS security flaw discovered in Skype; taps Facebook integration
A security researcher has discovered a potentially major security flaw in Facebook, apparently caused by the communication package/service's recently-launched close integration with Facebook.
According to David Vieira-Kurz of the SecAlert newswire, the Facebook integration has introduced a cross-site scripting (XSS) flaw into the Skype software, allowing the remote hijacking of a Skype session and potentially compromising a user's system.
This is, he claims, due to a lack output sanitisation and allows a victim to be attacked even if they are not a Facebook-friend or Skype contact of the attacker. Vieira-Kurz has posted a proof-of-concept video showing how the flaw can be exploited. According to security forum reports, the problem affects the Windows version of Skype from v5.3 onwards and stems from the extension of the Facebook API to the Skype client environment.