Vulnerability Name:

CCN-63129

Published:2010-11-08
Updated:2010-11-08
Summary:Skype for iPhone could allow a remote attacker from within the local network to bypass security restrictions, caused by the failure to ask for authorization prior to calling a number when invoked using a skype:// URL. By persuading a victim to visit a specially-crafted Web page, a remote attacker could cause the device to initiate a phone call without the user's permission.
CVSS v3 Severity:4.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
Exploitability Metrics:Attack Vector (AV): Adjacent
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:2.9 Low (CCN CVSS v2 Vector: AV:A/AC:M/Au:N/C:N/I:P/A:N)
2.3 Low (CCN Temporal CVSS v2 Vector: AV:A/AC:M/Au:N/C:N/I:P/A:N/E:U/RL:U/RC:UR)
Exploitability Metrics:Access Vector (AV): Adjacent_Network
Access Complexity (AC): Medium
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
Vulnerability Consequences:Bypass Security
References:Source: CCN
Type: SA41546
Skype for iPhone URL Handler Dial Number Weakness

Source: CCN
Type: Nitesh Dhanjani blog, November 08, 2010
Insecure Handling of URL Schemes in Apple’s iOS

Source: CCN
Type: OSVDB ID: 69115
Skype for iPhone skype:// URL Handler Dial Arbitrary Number

Source: CCN
Type: Skype Web site
Skype - The whole world can talk for free.

Source: XF
Type: UNKNOWN
skype-iphone-url-security-bypass(63129)

Vulnerable Configuration:Configuration CCN 1:
  • cpe:/o:apple:iphone_os:3.0:*:*:*:*:*:*:*
  • OR cpe:/o:apple:iphone_os:3.0.1:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    apple iphone os 3.0
    apple iphone os 3.0.1