Georgian security researcher Ucha Gobejishvili identified major cross-site scripting (XSS) vulnerabilities on the Skype Shop (shop.skype.com) website and in the Skype Application Programming Interface (API) site (api.skype.com).
The first site is the official Skype store where customers can purchase anything from headsets, phones, webcams, mobiles, and microphones.
According to a blog post on 1337 Blog, the expert’s personal site, the XSS flaw discovered on these sites could allow an attacker to hijack cookies if he manages to convince the potential victim to click on a specially designed link. If exploited successfully, a hacker could hijack the user’s session and even steal his/her account.
Given the large number of visitors this site has, the vulnerability can be catalogued as being a “high risk” issue.
The vulnerabilities have been reported to Skype and the company’s representatives redirected it to Microsoft’s Security Response Center (MSRC), which now handles certain problems found in Skype.
The API site is currently down, which may be an indication to the fact that the flaw affecting it may be addressed. We’ll return with an update as soon as more information is made available.
This is not the first security hole identified by Gobejishvili on a site owned by Microsoft. Earlier he found similar weaknesses on Microsoft MSN Solutions Center and Microsoft AdCenter Service
Other XSS vulnerabilities identified by the researcher and submitted to XSSed.com include one found on the official website of the Federal Emergency Management Agency (FEMA.gov), an organization governed by the U.S. Department of Homeland Security (DHS).
Another one was discovered on the site of the European Commission (ec.europa.eu). Even though the issues were reported about a week ago, so far none of these websites’ administrators patched them up, leaving them exposed to cybercriminal operations.