Skype unclear whether it has patched Facebook vulnerability

CONFUSION REIGNS as the online voice over IP (VoIP), chat and video telephony outfit Skype claims that users need not worry about a cross-site scripting (XSS) vulnerability that a researcher published over the weekend.

Skype's recent link-up with the social network Facebook allows users of the two networks to interact, however David Vieira-Kurz of Security Alert demonstrated a proof-of-concept XSS vulnerability that can compromise a user's Skype session and a user's system. Other reports claim that the vulnerability affects Skype for Windows from version 5.3 onwards, with H-Online being told that Skype is working on a fix.

When The INQUIRER contacted Skype for the latest on the issue, it was forwarded a statement that contradicts reports from three days ago. The statement claims that all affected users - those running Skype for Windows version 5.3 and 5.5 - should already be protected.

"The newly reported Cross Site Scripting (XSS) vulnerability that allows your Facebook stream to pop-up messages or redirect you to other Web sites is actually an issue that was fixed recently by an update deployed to users. All affected users should already be protected. Skype users do not need to install any updates for this fix to take effect," said Skype in a statement.

If you head on over to Skype's website, the version available for download is still 5.5, and while build numbers could be different, there's little to comfort users worried about having their Skype sessions and indeed their computers hijacked. During the weekend none of The INQUIRER's Skype for Windows users were offered an update, so we rang up Skype's London marketing representative who repeated the statement that "all affected users are protected", but wouldn't tell us whether this was through a background update that happened without the users' knowledge or something that could be fixed server side.

Given the widely reported nature of this vulnerability, it is surprising to see Skype promulgate such vague message. Even if it has managed to plug a hole affecting so many of its users, it should do a better job of informing users, rather than keep them guessing.

At this time it seems that the security of Skype's Facebook integration is in a state of, well, limbo. µ