Security researcher Phil discover a Cross-Site Scripting vulnerability exists in the “Chat Message” window in Skype 3.0.1 and earlier versions for iPhone and iPod Touch devices.
XSS in Skype
File system access is partially mitigated by the iOS Application sandbox that Apple has implemented, preventing an attacker from accessing certain sensitive files. However, every iOS application has access to the users AddressBook, and Skype is no exception.
He also created a proof of concept injection and attack that shows that a users AddressBook can indeed be stolen from an iPhone or iPod touch with this vulnerability.
To further demonstrate the issue, he had recorded a video of this scenario.
Please see the video & use the comments section on his blog for your questions.
Skype Attack Message
Skype Attack Loading
In case anyone is wondering, Phill disclosed the vulnerability to Skype on 8/24 & been told an update would be released early this August but no update yet.