I think MSRC was on the money on this one. On Thu, 12 May 2016 at 23:39, Danny Kopping <[email protected]> wrote:
> First-time poster here. I've been told to submit this issue to FD since > Microsoft's Security Team rejected this out of hand because it doesn't meet > their arbitrary definition of a vulnerability. > > "Thank you for contacting the Microsoft Security Response Center (MSRC). > Upon investigation we have determined that this is not a valid > vulnerability." > > Below is the original message i sent to [email protected]: > > *------------------- Original Message -------------------* > Hi > > I've found a way to conduct a phishing attack on unsuspecting users by > exploiting the image preview functionality found in modern versions of > Skype (only tested on Mac so far). > > Right at the outset here I'll say that i'm not a security researcher, just > a lowly programmer. > > The exploit is very very simple. > Skype announces that it is fetching an image preview when requesting an > HTTP(S) link from a server. The User-Agent header is: > > Mozilla/5.0 (Windows NT 6.1; WOW64) *SkypeUriPreview* Preview/0.5 > > This can be exploited to respond with different (even if not malicious) > content which is disingenuous. > > My proof of concept can be found here: > http://infomaniac.co.za/skype-phish/ > > In Skype, when the link is pasted, appears like this: > [image: Inline image 1] > > And when clicked, you are shown a Facebook login form: > [image: Inline image 2] > > After filling out the form and submitting it, you then see: > > [image: Inline image 3] > > The exploit is very simple and the code can be found here: > http://infomaniac.co.za/phish.zip > > I hope Skype will take steps to improve the safety and security of its > regular non-technical users. > > I believe this particular issue can be mitigated by simply not including a > specific User-Agent string in requests. > > Thank you > > _______________________________________________ > Sent through the Full Disclosure mailing list > https://nmap.org/mailman/listinfo/fulldisclosure > Web Archives & RSS: http://seclists.org/fulldisclosure/ _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
